COMMAND

	Raptor Firewall FTP Bounce vulnerability

SYSTEMS AFFECTED

	Tested on Raptor 6.5.3i on Sun Solaris 7

PROBLEM

	Roy  Hills  [http://www.nta-monitor.com/]  found   following   regarding
	Raptor Firewall :
	

	The Raptor Firewall can make an FTP server behind it vulnerable  to  the
	well-known FTP bounce vulnerability even if the FTP server used  is  not
	susceptible to this issue.
	

	 Overview

	 ========

	

	While performing a penetration test for a customer, we  discovered  that
	their FTP server was vulnerable to  the  well-known  FTP  Bounce  attack
	from the Internet. However, subsequent conversation  with  the  customer
	showed that the FTP server itself (a recent version of wu-ftp)  was  not
	vulnerable to the FTP bounce attack.
	

	It appears that the Raptor Firewall\'s FTP proxy was somehow making  the
	FTP server vulnerable to the FTP bounce vulnerability  even  though  the
	FTP server itself was immune to this problem.
	

	The Firewall vendor (Symantec) have been informed of this issue.
	

	 Environment

	 ===========

	

	

	 Firewall:	Raptor 6.5.3i on Sun Solaris 7

	 FTP Server:	wu-ftpd on internal network with anonymous access

	 Config:	Using built-in Raptor FTP proxy for inbound FTP access from Internet

	

	

	 Analysis

	 ========

	

	We verified and analysed the vulnerability using the following setup:
	

	1. \"attacker\" - A Linux system on the Internet that  connects  to  the
	FTP server and exploits the vulnerability
	

	2. \"victim\" - A second Linux  system  on  the  Internet  that  is  the
	target of the bounce attack
	

	3. \"server\" - The FTP server. External address 194.217.26.147,  internal
	10.1.13.5
	

	4.  \"Firewall\" - The Raptor Firewall
	

	We verified the FTP bounce vulnerability from the Internet and used  the
	\"tcpdump\" packet sniffer on the Internet  \"attacker\",  the  Internet
	\"victim\" (target  of  the  ftpbounce  test)  and  the  FTP  server  to
	determine what was going on.
	

	It turns  out  that  the  Raptor  Firewall  re-writes  the  inbound  FTP
	\"PORT\" command and changes the IP  address  to  be  the  Hacker\'s  IP
	rather than the Victim\'s, and the port number to be  another  ephemeral
	port. This means that the  FTP  server  cannot  detect  the  FTP  bounce
	attack because it sees the correct IP address (the  one  of  the  hacker
	rather than the victim) and an ephemeral port.  However,  when  the  FTP
	Server makes the outbound connection to this IP address  and  port,  the
	Firewall re-writes the IP address and port in the packet to  be  the  IP
	address and port of the victim which was  originally  specified  by  the
	Hacker.
	

	Thus, the Raptor Firewall prevents the FTP  Server  from  detecting  the
	FTP bounce attack, and permits the attack to  take  place.  Because  the
	FTP Server will always see the \"correct\" IP address and  port  in  the
	PORT command, it cannot determine that an FTP  bounce  attack  is  being
	carried out and will accept the command.
	

	 Further information

	 ===================

	

	Further information, including annotated \"tcpdump\" packet  traces  are
	available at:
	

	

	http://www.nta-monitor.com/news/raptor-set.htm

	

	

SOLUTION

	Nothing yet.