Safari FTP PASV manipulation vulnerability
Release date
September 16th, 2015
Vulnerability description
FTP PASV manipulation attack was first described bymark@bindshell.net in his 2007 paper “Manipulating FTP Clients Using The PASV Command” (originally athttp://bindshell.net/papers/ftppasv, but no longer there; live mirror athttps://web.archive.org/web/20120904163048/http://bindshell.net/papers/ftppasv/ftp-client-pasv-manipulation.pdf). The reader is encouraged to make himself/herself familiar with that paper, and with the PoC athttps://web.archive.org/web/20111228004729/http://www.bindshell.net/papers/ftppasv/ftp-pasv-poc-v1.0.zip.
The impact of the attack is as following (directly quoting from the above paper, with some original references removed for clarity):
It is possible for malicious FTP servers to cause [the FTP client] to connect to TCP ports on other hosts. This allows us to extend existing JavaScript-based port scan techniques in the follow ways:
• Scan ports which modern browsers would not normally connect to
• Fingerprint services which do not send a banner by timing how long the server takes to terminate the connection
• Perform simple “banner grabbing” to identify services running on other hosts
Apple Safari is not vulnerable to the attack as described in 2007. However, it turns out that if the FTP server responds to the CWD command or to the PASV command with a response that ends with LF (instead of CR+LF), then Safari becomes vulnerable, i.e. it will respect a PASV response that points at any IP and any port (instead of the FTP server’s IP address).
To demonstrate this, the following changes need to be applied to the original PoC (for simplicity only a single PoC will be demonstrated – that of grabbing banners):
In file “ftp-server.pl”, line 193, change from:
sendit("250 Directory successfully changed.\r\n");
To:
sendit("250 Directory successfully changed.\n");
And in file “ftp-pasv-demo3.html”, line 25, change from:
status.value += (time / 1000) + ' (t + ' + elapsed_time + '): ' + message + "\n";
To
document.getElementById('status').value += (time / 1000) + ' (t + ' + elapsed_time + '): ' + message + "\n";
The latter is due to WebKit-based browsers (e.g. Safari) exhibiting different behavior w.r.t. this DOM action – it has nothing to do with the actual vulnerability.
On top of these changes, the demonstrator needs to follow the instructions in the PDF paper and in the HTML page comments in order to prepare the PoC.
Affected products/libraries
Safari for iOS 8.4.1. User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 8_4_1 like Mac OS X) AppleWebKit/600.1.4 (KHTML, like Gecko) Version/8.0 Mobile/12H321 Safari/600.1.4. Earlier versions of Safari for iOS are probably vulnerable.
Safari 5.1.7 (7534.57.2) for Windows (latest, but no longer supported). User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/534.57.2 (KHTML, like Gecko) Version/5.1.7 Safari/534.57.2
The issue may also apply to Safari for MacOS/X – probably up to and including OS/X 10.10.5.
According to Apple, the issue resides in the “CFNetwork FTPProtocol” API/library.
CVE
Fix information
According to Apple, the issue fixed at least for the iOS platform in version 9 (iOS 9), immediately available (APPLE-SA-2015-09-16-1). For more information about this security update, please refer tohttps://support.apple.com/en-us/HT205212.
Komentarų nėra:
Rašyti komentarą