Hi everyone,
I frequently run security scans against my BBS and in the reports I have put my attention to a potential vulnerability using the FTP bounce attack (1). I have tried myself and it seems rather simple to exploit it. The steps are the following ones:
1. Login to the FTP service of the BBS using telnet. For instance: telnet yourbbs.com 21
2. Authenticate with "USER yourusername" and "PASS yourpassword". If you have Guest account enabled you can use anonymous username.
3. Once authenticated, run the following command "EPRT |1|192.168.1.1|80|". You can change the IP address with the one you like and the 80 for the TCP port.
4. If the server returns "200 PORT Command successful" then it means the remote destination accepts connections on that port.
This allows a possible attacker to do a port scan, even behind our firewall, using this trick. Fixing it is fairly simple, the FTP server has just to deny the use of PORT/EPRT command with any IP address different to the source host. Maybe this behaviour could be controlled by some config option in sbbs.ini.
Regards,
Carlos
(1)
https://en.wikipedia.org/wiki/FTP_bounce_attack
---
þ Synchronet þ HISPAMSX BBS - The 8-bit MSX computers BBS - 2:341/111@fidonet
* Origin: Vertrauen - [vert/cvs/bbs].synchro.net (1:103/705)