Source: cve@mitre.org
FTP servers can allow an attacker to connect to arbitrary ports on machines other than the FTP client, aka FTP bounce.
FTP bounce attacks allow attackers to leverage vulnerable FTP servers to scan and potentially access internal network resources. This vulnerability enables attackers to use the FTP server as a proxy to connect to arbitrary ports on other machines, leading to data exfiltration and network reconnaissance. Successful exploitation can compromise sensitive data and facilitate further attacks.
Step 1: Connection to FTP Server: The attacker establishes a connection to a vulnerable FTP server.
Step 2: PORT Command Injection: The attacker sends a PORT command to the FTP server, specifying the IP address and port of a target machine and service within the internal network. This IP address is not the attacker's, but the target's.
Step 3: Data Connection Initiation: The attacker issues a command that triggers a data transfer, such as LIST or RETR. This command instructs the FTP server to initiate a data connection to the IP address and port specified in the previous PORT command.
Step 4: Server-Side Connection: The FTP server, acting on the attacker's instructions, attempts to connect to the specified IP address and port on the target machine.
Step 5: Service Interaction: If the target port is open and running a service, the FTP server interacts with that service, potentially revealing information or allowing further exploitation.
The root cause of CVE-1999-0017 lies in the FTP protocol's design and the lack of proper input validation and access control on the server-side. Specifically, the PORT command, intended for specifying the client's data connection port, can be manipulated to instruct the FTP server to connect to arbitrary ports on any host. The server, trusting the client's input, initiates a connection to the specified IP address and port, effectively acting as a proxy. This allows attackers to bypass firewalls and access internal services. The flaw is not a specific code error like a buffer overflow, but a design flaw where the server blindly trusts the client's PORT command without verifying the destination or the client's authorization. This lack of proper validation allows for the redirection of connections to unintended targets.
While not directly associated with specific APT groups in recent reports, the technique is a fundamental part of network reconnaissance and is likely used by various actors. The technique is a building block for more sophisticated attacks. Not listed in CISA KEV.
Monitor FTP server logs for suspicious PORT command usage, especially those targeting internal network addresses.
Analyze network traffic for FTP data connections originating from the FTP server to unexpected destinations.
Implement network intrusion detection systems (IDS) with rules to identify and alert on PORT command abuse.
Review FTP server configuration for unnecessary services or open ports.
Disable or restrict the use of the PORT command on the FTP server, if possible.
Implement a firewall to restrict outbound connections from the FTP server to only trusted destinations and ports.
Upgrade or replace the FTP server software with a version that mitigates the vulnerability (if available).
Configure the FTP server to only allow connections from trusted IP addresses or networks.
Regularly audit FTP server configurations and security settings.
Implement strong authentication mechanisms for FTP access.