search menu icon-carat-right cmu-wordmark

CERT Coordination Center

File Transfer Protocol allows data connection hijacking via PASV mode race condition

Vulnerability Note VU#2558

Original Release Date: 2002-04-29 | Last Revised: 2003-03-26

Overview

There is a vulnerability in the File Transfer Protocol (FTP) that allows an attacker to hijack FTP data connections when the client connects using passive mode (PASV).

Description

In FTP PASV mode, the client makes a control connection to the FTP server (typically port 21/tcp) and requests a PASV data connection. The server responds by listening for client connections on a specified port number, which is supplied to the client via the control connection. If an attacker can make a connection to the listening port before the client connects, the server will transmit the data to the attacker instead of the client.

To exploit this vulnerability, the attacker must intercept or guess the port number that the server will use, then make its connection attempt before the client establishes a data connection. If the server chooses port numbers using an easily identifiable pattern (such as incrementally), this vulnerability is trivial to exploit.

Note that this vulnerability was first discovered in February 1999, so it is likely that many FTP servers have been patched to address this issue.

Impact

Remote intruders can hijack data requested by a legitimate user. It may also be possible to insert data on to an FTP server if the server is acting in a peering (mirroring) relationship with another server.

Solution

Apply a patch from your vendor

Please see the vendor section of this document for information on obtaining patches.

Reject data connections from hosts that do not match the control connection host


One possible mitigation strategy is to reject data connections that do not originate from the same IP address as the control connection, but this has several problems. First, it makes the server not strictly compliant with RFC 959. Second, it can be defeated by an attacker on the same machine (or network, if spoofed IP addresses are used).

Use randomly selected PASV ports to decrease likelihood of interception

If the server chooses the PASV listening port randomly, it will be difficult or impossible for an attacker to determine the data port. Note that this will not protect against attackers who are able to intercept the FTP control connection because the FTP server must supply the PASV listening port to the client.

Vendor Information

2558
 

View all 28 vendors View less vendors


CVSS Metrics

Group Score Vector
Base
Temporal
Environmental

References

Acknowledgements

The CERT/CC thanks Gregory A Lundberg and Jeffrey R. Gerber for their detailed explanations of this vulnerability.

This document was written by Jeffrey P. Lanza and Jed M Pickel.

Other Information

CVE IDs: CVE-1999-0351
Severity Metric: 13.95
Date Public: 1999-02-01
Date First Published: 2002-04-29
Date Last Updated: 2003-03-26 22:09 UTC
Document Revision: 31

Sponsored by CISA.