TUCoPS :: Macintosh :: bu-1931.htm

Apple Airport Wireless Products: Promiscuous FTP PORT Allowed in FTP Proxy Provides Security Bypass
Apple Airport Wireless Products: Promiscuous FTP PORT Allowed in FTP Proxy Provides Security Bypass
Apple Airport Wireless Products: Promiscuous FTP PORT Allowed in FTP Proxy Provides Security Bypass



--Apple-Mail-44--494336960
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain;
	charset=us-ascii

The FTP proxy used in Apple's Airport Express, Airport Extreme, Time Capsule and possibly elsewhere doesn't check the client provided address and port given by the FTP PORT command against the IP address of the connecting client, or against the use of privileged ports.  (The FTP PORT command is used by a FTP client to tell an FTP  server which address and data port to initiate the data connection on.)  The FTP proxy is used to provide assistance to clients operating in NAT environments served by the Apple products.  FTP servers running behind a NAT with this assistance can have addresses in the command channel rewritten for them so that external clients can reach them when operating in passive mode.  The ALG operates as a proxy server, assuming responsibility for connections to the FTP server, and must therefore also handle and modify rewriting of the PORT command.  It looks like it might be ftp-proxy from PF.

The effect of this problem is to allow anybody with access to the FTP port forwarded on the exterior side of an Apple Airport product that offers NAT to internal clients, which for a publicly-accessible FTP server is the big bad world, to induce an FTP server operating behind a NAT to send data to arbitrary addresses and ports.  This is true even if the FTP server is configured to operate more securely, since it sees connections from the NAT's exterior interface, not the connecting client.  This is useful for bouncing anonymous port scans off the victim NAT, or if data is available or can be written to and then read from the FTP server, potentially for anonymous attacks, spam, news floods, and other such badness.  Any trust relationship and/or security implied or assumed by a NAT is also gone, since the PORT command can also specify private addresses, inside the NAT, for victimisation.  Best of all, the gateway itself makes no log entry concerning FTP connections that have been run through the proxy.

Workarounds: do not use FTP; do not trigger the use of the ALG (FTP proxy) by explicitly using ports other than 21 on the inbound port mapping.  If you can't do those things, you can avoid the worst effects of this attack by disabling FTP uploads that can later be downloaded by anonymous users.

Apple likes to keep secrets for the protection of its customers.  Since the reasonable release of this advisory removes that protection, confidential information vouchsafed to me can be safely disclosed with no ill effects.  Apple has a fix, and according to its last seemingly automatic template message, they are still testing it and do not know precisely when it will be released.  This is confidential information.  DO NOT DISCLOSE!

Advisory history:

Apple were notified on 4 Dec 2009, and responded promptly.  They were given 60 days initially.

Apple contacted me on 7 January 2010 to ask who to give credit to.  Personal attribution.

On 18 Jan I contacted Apple, advising that they'd passed the six weeks milestone.

On 25 January I contacted Apple, advising that they'd passed the 7 weeks milestone.  They volunteered confidential information.

On 4 Feb, I urged Apple to tell me when a fix was to be issued, approximately.  They'd had their two months, and release cycles happen, but I wanted news within a fortnight.  Didn't they understand that their customers were at easy risk, and that keeping it quiet didn't change that?  By today - that is, by about 3 months - they would certainly be beyond reconciliation.  They volunteered confidential information.

On 4 March, I got bored of waiting, and made this announcement.  The fix is not out; apply workarounds, or trust to the fates and the security of your network.

Cheers,
Sabahattin


--Apple-Mail-44--494336960
Content-Disposition: attachment;
	filename=smime.p7s
Content-Type: application/pkcs7-signature;
	name=smime.p7s
Content-Transfer-Encoding: base64

MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIGsjCCBq4w
ggWWoAMCAQICAwEBkDANBgkqhkiG9w0BAQUFADCBjDELMAkGA1UEBhMCSUwxFjAUBgNVBAoTDVN0
YXJ0Q29tIEx0ZC4xKzApBgNVBAsTIlNlY3VyZSBEaWdpdGFsIENlcnRpZmljYXRlIFNpZ25pbmcx
ODA2BgNVBAMTL1N0YXJ0Q29tIENsYXNzIDEgUHJpbWFyeSBJbnRlcm1lZGlhdGUgQ2xpZW50IENB
MB4XDTEwMDIxNDE5MTgwM1oXDTExMDIxNjA5MTA1N1owgZsxIDAeBgNVBA0TFzE0Nzg0Ni1TclB0
b1dHUVJMYTExRVREMR4wHAYDVQQKExVQZXJzb25hIE5vdCBWYWxpZGF0ZWQxKTAnBgNVBAMTIFN0
YXJ0Q29tIEZyZWUgQ2VydGlmaWNhdGUgTWVtYmVyMSwwKgYJKoZIhvcNAQkBFh1tYWlsQHNhYmFo
YXR0aW4tZ3VjdWtvZ2x1LmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALSmrng+
PdhwKkjj3VZZLbF5aiVOUe7Cbui+Z5/BntaojcZYaVk5BKMcKh8aW4InSLZ5Da698zFHUFFbBgSv
PI8tTFwBM5Uq5eSlrs6pGsvGuYyAOMCeN2VvWZbcbFy5RKSUT9V9eRKu3/vDTXzquYuTaWaSDLrQ
cNQXjHNcmSKI5VDIOk/oYCDHvsQDBRG5R85HKe74zYZbgFPsasRPfloDSjWAfldkSPqVBvShefhl
tT5uvgCWf616cBFoqHtZe9/NUX3pLBiXdU9lQ4zN2dE7Ml6+3AobHLB/RSCxBWtb8YDln4X1JjZE
0swEDvyD0GEskAcyA2/bnRjvV9HOcY8CAwEAAaOCAwYwggMCMAkGA1UdEwQCMAAwCwYDVR0PBAQD
AgSwMB0GA1UdJQQWMBQGCCsGAQUFBwMCBggrBgEFBQcDBDAdBgNVHQ4EFgQU9rx1cJmSaz5fmKyy
///im4m/gOIwHwYDVR0jBBgwFoAUU3Ltkpzg2ssBXHx+ljVO8tS4UYIwKAYDVR0RBCEwH4EdbWFp
bEBzYWJhaGF0dGluLWd1Y3Vrb2dsdS5jb20wggFCBgNVHSAEggE5MIIBNTCCATEGCysGAQQBgbU3
AQIBMIIBIDAuBggrBgEFBQcCARYiaHR0cDovL3d3dy5zdGFydHNzbC5jb20vcG9saWN5LnBkZjA0
BggrBgEFBQcCARYoaHR0cDovL3d3dy5zdGFydHNzbC5jb20vaW50ZXJtZWRpYXRlLnBkZjCBtwYI
KwYBBQUHAgIwgaowFBYNU3RhcnRDb20gTHRkLjADAgEBGoGRTGltaXRlZCBMaWFiaWxpdHksIHNl
ZSBzZWN0aW9uICpMZWdhbCBMaW1pdGF0aW9ucyogb2YgdGhlIFN0YXJ0Q29tIENlcnRpZmljYXRp
b24gQXV0aG9yaXR5IFBvbGljeSBhdmFpbGFibGUgYXQgaHR0cDovL3d3dy5zdGFydHNzbC5jb20v
cG9saWN5LnBkZjBjBgNVHR8EXDBaMCugKaAnhiVodHRwOi8vd3d3LnN0YXJ0c3NsLmNvbS9jcnR1
MS1jcmwuY3JsMCugKaAnhiVodHRwOi8vY3JsLnN0YXJ0c3NsLmNvbS9jcnR1MS1jcmwuY3JsMIGO
BggrBgEFBQcBAQSBgTB/MDkGCCsGAQUFBzABhi1odHRwOi8vb2NzcC5zdGFydHNzbC5jb20vc3Vi
L2NsYXNzMS9jbGllbnQvY2EwQgYIKwYBBQUHMAKGNmh0dHA6Ly93d3cuc3RhcnRzc2wuY29tL2Nl
cnRzL3N1Yi5jbGFzczEuY2xpZW50LmNhLmNydDAjBgNVHRIEHDAahhhodHRwOi8vd3d3LnN0YXJ0
c3NsLmNvbS8wDQYJKoZIhvcNAQEFBQADggEBABfpkTQK6G6ZAdRpaGvgcQmxjQ1odHcV2LwyCQWv
ZwksY68aN7YhG2Y3qAhixQFGPWmoJu9R1Tfl80RCzXzFPERkAvl62b0RSJeZa40q9E0EHc8wYcsQ
ak5KVDxbknfQzIknnL3ZLsc33Ropca7FzudPXYO72tXF0oz+QQvUMS7qRpTJb/jLQ4LTsGM1muSg
IICcR1dDxf6nCKm0Gu4sS6RmrvDJ/UmCo/3Xz/LBV9TQ7n/j0+aiulOBZ6Rh6utDCWNb9XLZD40l
0xJ09mimXKmVoc5c+MzMkUJX4LWDoFOJmD8ON208++Of8hDF8lSY39HYubSgpkTqJnWcicylg1Ux
ggNvMIIDawIBATCBlDCBjDELMAkGA1UEBhMCSUwxFjAUBgNVBAoTDVN0YXJ0Q29tIEx0ZC4xKzAp
BgNVBAsTIlNlY3VyZSBEaWdpdGFsIENlcnRpZmljYXRlIFNpZ25pbmcxODA2BgNVBAMTL1N0YXJ0
Q29tIENsYXNzIDEgUHJpbWFyeSBJbnRlcm1lZGlhdGUgQ2xpZW50IENBAgMBAZAwCQYFKw4DAhoF
AKCCAa8wGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAcBgkqhkiG9w0BCQUxDxcNMTAwMzA0MTcx
OTE1WjAjBgkqhkiG9w0BCQQxFgQUAFAPswgqHkaB0orxMxx9eM7NxU0wgaUGCSsGAQQBgjcQBDGB
lzCBlDCBjDELMAkGA1UEBhMCSUwxFjAUBgNVBAoTDVN0YXJ0Q29tIEx0ZC4xKzApBgNVBAsTIlNl
Y3VyZSBEaWdpdGFsIENlcnRpZmljYXRlIFNpZ25pbmcxODA2BgNVBAMTL1N0YXJ0Q29tIENsYXNz
IDEgUHJpbWFyeSBJbnRlcm1lZGlhdGUgQ2xpZW50IENBAgMBAZAwgacGCyqGSIb3DQEJEAILMYGX
oIGUMIGMMQswCQYDVQQGEwJJTDEWMBQGA1UEChMNU3RhcnRDb20gTHRkLjErMCkGA1UECxMiU2Vj
dXJlIERpZ2l0YWwgQ2VydGlmaWNhdGUgU2lnbmluZzE4MDYGA1UEAxMvU3RhcnRDb20gQ2xhc3Mg
MSBQcmltYXJ5IEludGVybWVkaWF0ZSBDbGllbnQgQ0ECAwEBkDANBgkqhkiG9w0BAQEFAASCAQBl
VWDHJANJZuEZQcxP5ncU2UI5t3W/V1bEL0hoQMNh/N2sPI+Yqjav/4qlNolJGqqipwHaDbef9fFH
YV6xsGGb3yA8p0/Ytl2G//WUD/fWhwHKAboPnT1n5qHYoocnQLigaplMNB1JfqogRNtcIutpmr+Y
oTix8+Zbsp3vQSe/iYrYoTr2wDLs+fPy9uKCWEXoJRBzJLIjSlx7l4klXTos6/fgHkH+12082Lyo
HiBlA+MTvIgZB1jH+5RrD/XepRlPPv6MFzW3bItU2THuGkMkFBnqXUfeJrSpFaOgmZj82GZHBE8+
FfJSvCVEzum51ADajfcxEu7mxkWCxKhO4jOmAAAAAAAA

--Apple-Mail-44--494336960--

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH