Proof of Concept - Security Advisory                        02/16/99
http://poc.csoft.net                                     Released by
poc@csoft.net                                    sw3wn@poc.csoft.net

---

Affected Program        NcFTPd <http://www.ncftp.com>
Description             FTP server (commercial)
Severity                Default PORT setup, log compromise


Synopsis:

NcFTPd is a commercial FTP (File Transfer Protocol) server, in the
NcFTP product line.  The source code is not publicly released.  This
was tested on Linux with libc5 (there's a glibc2 specific version
available).

Overview:

To initiate a FTP transfer, there must be two connections, one
control connection (server's ftp port), and one data connection.
When a client wants to tell the server where to send the data (ie.
a file you want to download, or a directory listing), it must use
the command PORT - in which the destination address and port is
specified.

Problem:

NcFTPd does not check that the destination PORT address is the
user's IP.  This means anybody can transmit data from the server
anywhere, anonymously.  Obviously this can lead to potential
`easy' DoS attacks and spoofing (say, someone uploads a file
containing commands of something to incoming, PORT to some host/port,
and use RETR (retrieve file)).  Such connections are possible
with the default NcFTPd configuration, but can be disallowed:
general.cf> allow-outgoing-proxy-data-connection-ports-below-1024 - no
general.cf> allow-proxy-connections - no

Most other FTP server daemons I've tried has this feature
disabled - even if the proxy connections are a documented part of
RFC 959 (FTP protocol).  But this is no big deal, just a possible
amelioration.

I made an example program that listens on a port and dumps
arbitrary received data in string, hex or ascii/hex format,
and sends back EOF (needed for FTP data transfer).
 [http://poc.csoft.net/code/listerine/listerine.tar.gz]

Example:

evil:$ telnet victim ftp                # victim runs NcFTPd
user anonymous                          # anonymous is up by default
pass some@thing
port 192,168,0,1,5,131                  # connect on port 1411
retr incoming/stuff                     # send arbitrary data, as it
                                        # was coming from host victim.

To see for yourself, you can run my example program `listerine', on
the host victim.  I tested this on my LAN and on remote machines too.


Status:

Got response from authors, the problem can be fixed indeed with
the general.cf options mentionned above, but are not enabled with
default configuration.

.sw3