February 1st, 1999

FTP PASV "Pizza Thief" Exploit
Author: Jeffrey R. Gerber

PROBLEM:
Legitimate FTP clients may experience Denial of Service and rogue FTP
clients may obtain unauthorized access to data.

PLATFORM:
All operating systems.
All FTP clients and FTP servers affected.

DAMAGE:
Data loss, data corruption, and denial of service.

SOLUTION:
Proposed solutions follow at the end of this document.

VULNERABILITY ASSESSMENT:
Risk is medium. The ability for this attack to be performed is not 100%
guaranteed. The higher the volume of traffic an FTP server sees, the
higher the potential for a successful attack. This attack has not yet
been observed in the wild.

Synopsis:
The Pizza Thief exploit relies on the FTP Passive (PASV) mode of
operation. When a client connects to a server using the PASV mode, the
server opens a port for data transfer to the client. As observed on all
tested FTP servers, any client other than the legitimate client may just
as equally connect to the allocated data port. Typical behavior is that
the first client to connect to the data port gets the data. Any
following connections from other clients (including the legitimate
client) will either be rejected or connect without reception of data.

Description:
RFC 765 "FILE TRANSFER PROTOCOL", Page 23 describes the "TRANSFER
PARAMETER COMMANDS" for FTP. Two named transfer parameter commands are
DATA PORT (PORT) and PASSIVE (PASV). Either PORT or PASV is used by FTP
to establish a data connection, the Data Transfer Process (DTP). FTP
data connections are frequently followed by the RETRIEVE (RETR), STORE
(STOR), APPEND (with create) (APPE), and LIST (LIST) commands which use
the DTP.

When a DTP connection is established between an FTP client and an FTP
server, either the server listens for a connection from the client (PASV
command) or the client listens for a connection from the server (PORT
command).

If a PORT command is issued to the server, the server requires the
client to state at which network address and on which port the server is
to connect to the client. The PORT command is of the format: "PORT
h1,h2,h3,h4,p1,p2" where h1,h2,h3,h4 is the client's network address,
and p1,p2 is the 16 bit client port number in an 8 bit high,low bit
order.
If a PASV command is issued to the server, the server responds to the
client, telling the client at what network address and on what port the
client is to connect to the server. The PASV command takes no
parameters.

The "Postel's Pizza Parlor" FTP analogy:

Mr. Postel runs a fine pizza parlor in Anytown, CA. In recent years Mr.
Postel added two new services to his business: "Carry Out" and
"Delivery". Customers thoroughly enjoy both services.

Some customers living in gated communities, a recent housing phenomenon
that has been continually expanding, have found it necessary to use
Carry Out rather than Delivery since the delivery person frequently has
problems getting through the front gate. Although the gated community
customers find carry out a bit of a pain they enjoy the compromise for
their higher level of security in living.

Mr. Postel's business ran fine for a while but he soon noticed two
erroneous phenomenon: 1) Some Delivery pizza's were being delivered to
the wrong addresses. 2) Some Carry Out customers were arguing that their
pizza wasn't ready when they arrived. After carefully looking into the
Delivery issue, Mr. Postel discovered that some customers were calling
and having pizza's delivered to wrong addresses or to individuals that
didn't order a pizza. Mr. Postel surmised that either the caller was
doing this as a prank or they were, for whatever strange reasons, making
notes of where the pizzas were able to be delivered and not delivered.
After looking into the Carry Out problem, Mr. Postel determined that
"pizza thieves" were comming into the store and asking to pick up pizzas
that were not their own by guessing likely order numbers (the method by
which a customer asks for his or her pizza). The legitimate customers
were then arriving only to find that their pizza wasn't ready.

After careful thought on the Carry Out problem, Mr. Postel decided to
make it a policy for the calling customers to state their home address.
Now when the customer comes into the pizza parlor, the server will check
the person's drivers license for a matching address.
The Carry Out problem analogously describes the problem with the current
FTP PASV connection methodology. Presently, most if not all, FTP servers
on the Internet are succeptible to a "pizza thief" attack. This attack
involves a rogue client making educated guesses at potential port
numbers (pizza order numbers). Port number prediction is possible by
repetitive sampling of server responses from the PASV command. Many
servers allocate new port numbers by allocating a new port number at a
value one higher than the last used port number. This is analogous to a
pizza thief sitting in a waiting room, listening to previous order
numbers and then guessing at a currently pending order number and asking
for it.

In the past, the PASV connection method was used with far less frequency
than the preferred PORT connection method. The use of PASV has been
increasing proportionately with an increased frequency of clients
sitting behind firewalls (gated communities). The pizza thief attack
thus becomes more effective by day.

Recommendations:
Solving the problem requires careful thought. Server programmers can
program a server to identify the client address associated with the
control port and only allow data port connections from the client
address, however this server would not be RFC compliant.

In the FTP standard, server to server connections are possible by use of
the PORT command on server A and the PASV command on server B. The
client directs both server A and B to connect to each other. In this
case, assume that server A accepts the PASV command. Server A will find
that the address of the client on the control port does not match the
address associated with the data connection (which is server B's
address).

A possible solution is an RFC obsoletion or update, documenting a new
form of the PASV command, PASX for "PASsiVe eXtended". The PASX command
would take address arguments in the form h1,h2,h3,h4 just as the PORT
command uses, sans port numbers p1,p2. In using PASX, both the client to
server connections and the server to server connections would remain
compliant with current RFC methodologies, yet adding a much needed layer
of authentication.

RFC 2228 "FTP SECURITY EXTENSIONS" has addressed the issue of securing
the data channel with the DATA CHANNEL PROTECTION LEVEL (PROT) extension
and use of data encapsulation.  Through the use of a secured data
channel, the Pizza Thief threat is reduced to a simple denial of service
attack.