Safari FTP PASV manipulation vulnerability

Release date

September 16th, 2015

 

Vulnerability description

FTP PASV manipulation attack was first described by mark@bindshell.net in his 2007 paper “Manipulating FTP Clients Using The PASV Command” (originally at http://bindshell.net/papers/ftppasv, but no longer there; live mirror at https://web.archive.org/web/20120904163048/http://bindshell.net/papers/ftppasv/ftp-client-pasv-manipulation.pdf). The reader is encouraged to make himself/herself familiar with that paper, and with the PoC at https://web.archive.org/web/20111228004729/http://www.bindshell.net/papers/ftppasv/ftp-pasv-poc-v1.0.zip.

The impact of the attack is as following (directly quoting from the above paper, with some original references removed for clarity):

It is possible for malicious FTP servers to cause [the FTP client] to connect to TCP ports on other hosts. This allows us to extend existing JavaScript-based port scan techniques in the follow ways:

• Scan ports which modern browsers would not normally connect to

• Fingerprint services which do not send a banner by timing how long the server takes to terminate the connection

• Perform simple “banner grabbing” to identify services running on other hosts

Apple Safari is not vulnerable to the attack as described in 2007. However, it turns out that if the FTP server responds to the CWD command or to the PASV command with a response that ends with LF (instead of CR+LF), then Safari becomes vulnerable, i.e. it will respect a PASV response that points at any IP and any port (instead of the FTP server’s IP address).

To demonstrate this, the following changes need to be applied to the original PoC (for simplicity only a single PoC will be demonstrated – that of grabbing banners):

In file “ftp-server.pl”, line 193, change from:

sendit("250 Directory successfully changed.\r\n");

To:

sendit("250 Directory successfully changed.\n");

And in file “ftp-pasv-demo3.html”, line 25, change from:

status.value += (time / 1000) + ' (t + ' + elapsed_time + '): ' +  message + "\n";

To

document.getElementById('status').value += (time / 1000) + ' (t + ' + elapsed_time + '): ' +  message + "\n";

The latter is due to WebKit-based browsers (e.g. Safari) exhibiting different behavior w.r.t. this DOM action – it has nothing to do with the actual vulnerability.

On top of these changes, the demonstrator needs to follow the instructions in the PDF paper and in the HTML page comments in order to prepare the PoC.

 

Affected products/libraries

Safari for iOS 8.4.1. User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 8_4_1 like Mac OS X) AppleWebKit/600.1.4 (KHTML, like Gecko) Version/8.0 Mobile/12H321 Safari/600.1.4. Earlier versions of Safari for iOS are probably vulnerable.

Safari 5.1.7 (7534.57.2) for Windows (latest, but no longer supported). User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/534.57.2 (KHTML, like Gecko) Version/5.1.7 Safari/534.57.2

The issue may also apply to Safari for MacOS/X – probably up to and including OS/X 10.10.5.

According to Apple, the issue resides in the “CFNetwork FTPProtocol” API/library.

 

CVE

Apple obtained the CVE identifier CVE-2015-5912 to denote the issue. Bugtraq has BID 76764 to denote the iOS vulnerability.

 

Fix information

According to Apple, the issue fixed at least for the iOS platform in version 9 (iOS 9), immediately available (APPLE-SA-2015-09-16-1 for iOS, and later APPLE-SA-2015-09-30-3 for OS/X). For more information about this security update, please refer to https://support.apple.com/en-us/HT205212 and https://support.apple.com/en-us/HT205267.