FTP Protocol Security Analysis

[Original] FTP Protocol Security Analysis

--------------------------------------------------------------------------------
 
FTP Protocol Security Analysis
Author: Xinhe

Preface
File Transfer Protocol (FTP) is one of the common protocols on the Internet. As TCP/IP protocol families are designed on a mutually trusted platform, network security is becoming more and more important today, the security of TCP/IP protocol families has also become a focus of security research. The famous ARP spoofing, data monitoring in the exchange environment, man-in-the-middle attacks, and DDoS, the vulnerabilities of the TCP/IP protocol are exploited, and the FTP protocol has more or less problems. In this article, we will discuss the security of the FTP protocol from the FTP protocol itself.

Chapter 1 FTP protocol
1. Protocol Introduction
Similar to the HTTP protocol, FTP uses TCP connections. However, unlike HTTP, all HTTP data is transmitted over port 80 (SSL is not considered here ), FTP separates data from commands for processing. For now, we name them "Command Channel" and "Data Channel" respectively ". The Command Channel is generally on the familiar port 21, while the data channel is usually a high port. For example, if the client wants to obtain a file from the FTP server, the client first logs on to the server and establishes a connection with the server. This is the "Command Channel" we mentioned earlier ", the client sends the command of the request file to the server from this channel. After the server receives this command, it will re-establish a connection with the client. This is the "Data Channel" we mentioned earlier ", file data is transmitted to the client through the data channel. Here, we use Figure 1-1 to indicate the processing process of file transmission.

User Interface
|
| Command Channel
User protocol interpreter ------------ Server Protocol Interface
|
| Data Channel
User data transmission function --------- server data transmission function

 

Ii. Data Representation
The FTP protocol specification provides multiple options for controlling file transfer and storage. You must make a choice in the following four aspects.
1. File Type
(1) The type of the ASCII code file is generally selected by default.
(2) ebcdic file type this type of transmission method requires both ends of the ebcdic system.
(3) image file type (also called binary) data transmission is presented as a bit stream, which is usually used to transmit binary files.
(4) local file type this mode transfers binary files between hosts with different bytes.

2. Format Control
This option is only valid for ASCII and ebcdic files.
(1) Non-Printing
(2) Remote logon format Control
(3) Fortran carriage return control

3. Structure
(1) file structure
(2) record Structure
(3) Page Structure

4. Transmission Mode
(1) stream mode
(2) Block Mode
(3) compression mode

Iii. FTP commands
FTP commands and responses are transmitted in the Command Channel in the form of ASCII code. The following describes commonly used commands and commands:
Command description
Abor abandons the previous FTP command and data transfer
List list display files or directories
Password on the pass Server
Port customer IP address and port
Quit deregister from the server
RETR retrieves a file
Stor stores a file
System type returned by the syst Server
Type indicates the file type.
User name on the user Server

Iv. FTP Response
FTP responses are all three digits in the form of ASCII code, with packet options. Each of the three digits has different meanings. Here are some common reverse digits:
125 the data channel has been opened; transmission starts.
200 ready command.
214 help message.
331 the user name is ready. Enter the password.
425 you cannot open a data channel.
500 syntax error (unapproved command ).
501 syntax error (invalid parameter ).
502 unimplemented mode (MODE Command) type.

V. Connection Management
We mentioned above that FTP command transmission and data transmission are transmitted through different ports, and connection management naturally becomes the core issue of FTP protocol. The most important thing is data channel management.
Data channels have the following three purposes:
1> send a file from the client to the server.
2> send a file from the server to the customer.
3> the slave server sends the file domain directory list to the client.
The transmission mode can be divided into active FTP and Passive FTP. The general process of active FTP is as follows:
1. The customer issues a command to establish a data connection.
2. the customer usually selects a temporary port number for the data connection on the client host. The customer publishes a passive open request from the port.
3. The customer uses the PORT command to send the port of the data channel to the server from the command channel.
4. The server receives the port number on the Command Channel and sends an active open request to the port on the client host. At this time, the server's data channel uses Port 20.
Passive FTP is different from active FTP because it is not a temporary port opened by the client host, but a temporary port opened by the server to wait for the connection from the client. The vsftp provided by fedora is a passive transmission mode. The following describes the entire process from logging on to vsftp, executing ls, and then exiting.
[Xinhe @ Xinhe] $ FTP-d xxx. XXX
Connected to XXX. XXX (XXX. XXX ).
220 welcome to ylyz FTP service.
Name (XXX. XXX: Xinhe): xplore
---> User Xinhe
331 please specify the password.
Password:
---> Pass xxxx
230 login successful.
---> Syst
215 UNIX type: l8
Remote system type is UNIX.
Using binary mode to transfer files.
Ftp> ls
FTP: setsockopt (ignored): Permission denied
---> PASV
227 entering passive mode (XXX, XXX, 204,73)
---> List
150 here comes the directory listing.
Drwxr-XR-x 11 48 48 4096 Jul 21 xxx
Drwxr-XR-x 19 48 48 4096 Jul 31 xxxx
Drwx ------ 2 0 0 16384 Jun 23 0:18 lost + found
Drwxr-XR-x 3 510 510 4096 Aug 03 Software
Drwxr-XR-x 2 510 510 4096 Jun 30 TMP
Drwxr-XR-x 6 510 510 4096 Jun 27 XXXXX
Drwxrwxr-x 10 501 501 4096 Aug 12 xxxxxxx
-RW-r -- 1 510 510 12649185 Aug 12 xxxx
Drwxr-XR-x 7 501 12 4096 Jul 03 Xinhe
Drwxr-XR-x 7 510 510 4096 Aug 13 Zwell
226 directory send OK.
Ftp> bye
---> Quit
221 goodbye.

The above is the whole process of logging on to a vsftp server, executing an LS and then exiting. The above is the passive transmission mode. The key is to look at this sentence:
---> PASV
227 entering passive mode (XXX, XXX, 204,73)

This tells us the IP address of the server and the port for enabling temporary data. Then, we log on to the temporary port 52297. The algorithm of the temporary port is 204*256 + 73. To better understand the process, we have monitored the data transfer in this process. The following section describes how to use the client to log on to the temporary port.
08/24-15:24:24. 052846 0: E0: 4C: F0: E0: Ea-> 0: D0: F8: 51: FC: 81 type: 0x800 Len: 0x4a
192.168.10.8: 32791-> XXX. XXX: 52297 tcp ttl: 64 TOS: 0x0 ID: 39780 iplen: 20 dgmlen: 60 DF
* ***** S * seq: 0x42206dd2 ack: 0x0 win: 0x16d0 tcplen: 40
TCP options (5) => MSS: 1460 sackok ts: 849590 0 nop ws: 0
Note: The server used during the test is a real server on the public network, so the address of the server is not displayed.

Chapter 2 Security Risks

We have discussed the FTP protocol and the specific FTP transmission process. In this process, security risks exist in many places. With the deepening of Internet popularization, network security has also been paid more and more attention. Here I put forward some common FTP security risks, hoping to attract people to pay attention to FTP security, it makes the FTP server and data transmission process safer.
I. FTP server software vulnerabilities
This type of security risk is not the focus of this article, but it must be put forward here, because it is a nightmare for FTP service providers and is also the focus of hackers, common FTP services include wu-ftpd, proftpd, vsftpd, and Serv-U in Windows. The most common and terrible vulnerability is buffer overflow, recently, the overflow vulnerabilities of WU-FTPd and Serv-U have emerged, and ProFTPD has experienced buffer overflow. Currently, vsftp is safer, and it must be known as a very secure FTP.

Ii. plaintext Password
As mentioned above, the TCP/IP protocol family is designed based on mutual trust and security. Of course, the FTP design does not adopt encrypted transmission, all data transmitted by FTP clients and servers is in plain text, including passwords.
After listening to data in an exchange environment, this plaintext transmission becomes very dangerous because others may capture sensitive information, such as user names and passwords, during the transmission process. Encryption is used for HTTPS and SSH to solve this problem. FTP is still transmitted in plain text, while FTP accounts for systems such as Uinx and Linux are usually system accounts (vsftp does this ). In this way, hackers can capture the FTP user name and password to obtain the system account. If the account can be remotely logged on, local overflow is usually used to obtain the root permission. In this way, the FTP server is controlled by hackers.
The following are the data transmitted in plain text that I captured:
= + = +

08/24-15:24:13. 511233 0: E0: 4C: F0: E0: Ea-> 0: D0: F8: 51: FC: 81 type: 0x800 Len: 0x4f
192.168.10.8: 32790-> XXX. XXX: 21 tcp ttl: 64 TOS: 0x10 ID: 36423 iplen: 20 dgmlen: 65 DF
* ** AP ** seq: 0x407f7f77 ack: 0x1bd963bf win: 0x16d0 tcplen: 32
TCP options (3) => NOP ts: 848536 1353912910
55 53 45 52 20 78 70 6C 6f 72 65 0d 0a user Xinhe ..

= + = +

08/24-15:24:13. 557058 0: D0: F8: 51: FC: 81-> 0: E0: 4C: F0: E0: Ea type: 0x800 Len: 0x42
XXX. XXX: 21-> 192.168.10.8: 32790 tcp ttl: 56 TOS: 0x0 ID: 29145 iplen: 20 dgmlen: 52 DF
* ** A *** seq: 0x1bd963bf ack: 0x407f7f84 win: 0x16a0 tcplen: 32
TCP options (3) => NOP ts: 1353916422 848536

= + = +

08/24-15:24:13. 560516 0: D0: F8: 51: FC: 81-> 0: E0: 4C: F0: E0: Ea type: 0x800 Len: 0x64
XXX. XXX: 21-> 192.168.10.8: 32790 tcp ttl: 56 TOS: 0x0 ID: 29146 iplen: 20 dgmlen: 86 DF
* ** AP ** seq: 0x1bd963bf ack: 0x407f7f84 win: 0x16a0 tcplen: 32
TCP options (3) => NOP ts: 1353916426 848536
33 33 31 20 50 6C 65 61 73 65 20 73 70 65 63 69 331 please speci
66 79 20 74 68 65 20 70 61 73 77 6f 72 64 2E FY the password.
0d 0a ..

= + = +

08/24-15:24:13. 571556 0: E0: 4C: F0: E0: Ea-> 0: D0: F8: 51: FC: 81 type: 0x800 Len: 0x42
192.168.10.8: 32790-> XXX. XXX: 21 tcp ttl: 64 TOS: 0x10 ID: 36424 iplen: 20 dgmlen: 52 DF
* ** A *** seq: 0x407f7f84 ack: 0x1bd963e1 win: 0x16d0 tcplen: 32
TCP options (3) => NOP ts: 848542 1353916426

= + = +

08/24-15:24:21. 364315 0: E0: 4C: F0: E0: Ea-> 0: D0: F8: 51: FC: 81 type: 0x800 Len: 0x54
192.168.10.8: 32790-> XXX. XXX: 21 tcp ttl: 64 TOS: 0x10 ID: 36425 iplen: 20 dgmlen: 70 DF
* ** AP ** seq: 0x407f7f84 ack: 0x1bd963e1 win: 0x16d0 tcplen: 32
TCP options (3) => NOP ts: 849321 1353916426
50 41 53 53 20 78 70 6C 6f 72 65 5f 32 30 30 34 pass test
0d 0a ..

= + = +
In this way, we can see that the user name on the FTP server is: Xinhe and password: test.

Iii. FTP flag
This problem is not very serious. Nowadays, many service software have such problems. before initiating an attack, hackers usually need to determine the version number used by the other party. This facilitates the selection of attack programs. The following is an example:
[Xinhe @ Xinhe] $ ftp xxx. XXX
Connected to XXX. XXX (XXX. XXX ).
220-serv-u FTP server v5.1 for Winsock ready...
Team 220 s
This information indicates that the service software used by the server is Serv-U 5.1.

4. port scanning through the FTP server
The PORT Command sent by the FTP client tells the server the IP address and port that should be connected when the FTP server transmits data. Generally, this is the IP address of the FTP client's machine and the port it is bound. However, the FTP Protocol does not require the client to specify its own IP address in the PORT Command sent.
With this, hackers can perform port scanning on the target machine through a third-party FTP server. This method is generally called FTP reflection. For hackers, this scanning method has the following two advantages:
(1) provide anonymity
Because the source address of port scanning is the IP address of the FTP server, rather than the hacker's machine, this method hides the real IP address of the hacker.
(2) avoid blocking
Because a third-party FTP server is used for scanning, even if the target machine automatically blocks the machine for scanning by adding the kernel ACL or invalid routing, however, hackers can use an FTP server to complete the scan.
NMAP can achieve this scanning process. The following is an instance that uses an FTP server for scanning.
[Xinhe @ Xinhe] $ NMAP-B Xinhe: test@xxx.xxx.xxx.xxx: 21-V XXX. XXX
Hint: If your bounce scan target hosts aren't reachable from here, remember to use-P0 so we don't try and Ping them prior to the scan

Starting NMAP 3.48 (http://www.insecure.org/nmap/) at CST
Resolved FTP Bounce Attack proxy to XXX. XXX (XXX. XXX ).
Machine XXX. XXX might actually be listening on probe port 80
Host XXX. XXX appears to be up... good.
Attempting connection to FTP: // Xinhe: test@xxx.xxx.xxx.xxx: 21
Connected: 220 welcome to FTP service.
Login credentials accepted by FTP server!
Initiating tcp ftp Bounce scan against XXX. XXX at 20:16
Adding open port 237/tcp
Deleting port 237/tcp, which we thought was open
Changed my mind about port 237.
Adding open port 434/tcp
Deleting port 434/tcp, which we thought was open
Changed my mind about port 434.
Adding open port 1509/tcp
Deleting port 1509/tcp, which we thought was open
Changed my mind about port 1509.
Adding open port 109/tcp
Deleting port 109/tcp, which we thought was open
Changed my mind about port 109.
Adding open port 766/tcp
Deleting port 766/tcp, which we thought was open
Changed my mind about port 766.
Adding open port 1987/tcp
Deleting port 1987/tcp, which we thought was open
Changed my mind about port 1987.
Adding open port 5998/tcp
Deleting port 5998/tcp, which we thought was open
Changed my mind about port 5998.
Adding open port 1666/tcp
Deleting port 1666/tcp, which we thought was open
Changed my mind about port 1666.
Adding open port 506/tcp
Deleting port 506/tcp, which we thought was open
Changed my mind about port 506.
Caught SIGINT signal, cleaning up

5. Data hijacking
We talked about the FTP data transmission process. Likewise, the FTP protocol itself does not require the same IP address of the customer who transmitted the command as the IP address of the customer who transmitted the data, in this way, hackers may hijack the data transmitted between the customer and the server. Data hijacking can be divided into active data hijacking and passive data hijacking based on the data transmission mode.
1. Passive data hijacking
According to the previous passive transmission process, we can see that there is a vulnerable window after the FTP client sends the PASV or PORT command and before sending the data request. If hackers can guess this port, they can connect and load or replace the data being sent.
To achieve passive data hijacking, you must know the temporary port number opened on the server. Then, many servers do not randomly select ports, but use an incremental method, in this way, it is not difficult for hackers to guess the port number.
2. Proactive data hijacking
Active Data hijacking is much more difficult than passive data hijacking because in active transmission mode, the customer opens a temporary port for data transmission, however, it is difficult for hackers to find customers' IP addresses and temporary ports.

Chapter 3 security policies
1. Use relatively secure systems and FTP service software
The most secure system here is that it is best not to use Windows as a server, because the security of the system itself is very problematic. Windows has to expose n vulnerabilities every year, once an overflow vulnerability exists, it is very likely that you will be able to get the administrator privilege. Once the system is infiltrated, the services running on the system are not secure. Both Linux and BSD will be good choices.
Service software uses fewer vulnerabilities, such as vsftp, and ensures version updates.

Ii. Use the ciphertext transmission user name and password
Here we can use SCP and sftp, or SSH for forwarding. In this way, even if hackers can monitor the data exchange between the customer and the server, they will not get a password without a key. There are some restrictions on SSH forwarding. First, the server and the client must be in active mode, and then the server must allow machines outside the command channel to send port commands to them.

3. Change the flag of the service software
Changing the flag of the service software can confuse attackers, at least many scanners, and cause false positives. However, changing the flag is not the fundamental solution to security problems, security Vulnerabilities will not disappear because of different flag, but the change is always better than not. Currently, most server software can change the FTP flag in the configuration file.

Iv. Enhanced Protocol Security
This is what the service software provider needs to do. First, the PORT command should be checked. The IP address after the port should be the same as the client host, many of our ftp attacks are implemented by constructing special port commands. Therefore, the use of port commands is especially important for attackers. It is not easy to do this. WU-FTPd took several years. Currently, there is no perfect defense Method for Data hijacking. What we can do now is to check whether the IP addresses of the Command Channel and data channel are consistent, but this cannot completely prevent data hijacking. Because the client and the hacker may be in the same intranet.

Postscript
The Network has penetrated into all aspects of social life, and network security is becoming more and more important. FTP protocol security is only a small part of network security. There is still much work to do for network security, due to the time relationship, this article has not mentioned the source code of the FTP service software (many good things are open-source ), I think if we can compare the source code with the source code to talk about the FTP transmission process, we will have an essential understanding of the FTP transmission process, it is also easier to find some unknown security risks.

Completion Time: 2004-10-24