Date: 28 March 2007
References: ESB-2007.0760
Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AA-2007.0021 AUSCERT Advisory
[Win][UNIX/Linux]
Multiple browsers handling of PASV FTP responses may port scanning
28 March 2007
- ---------------------------------------------------------------------------
AusCERT Advisory Summary
------------------------
Product: KDE Konqueror 3.5.6 and prior versions
Mozilla Firefox versions prior to 2.0.0.3
Mozilla Firefox versions prior to 1.5.0.11
Opera 9.10
Operating System: UNIX variants (UNIX, Linux, OSX)
Windows
Impact: Reduced Security
Access: Remote/Unauthenticated
CVE Names: CVE-2007-1562 CVE-2007-1563 CVE-2007-1564
Member content until: Wednesday, April 25 2007
OVERVIEW:
A paper [1] has been released discussing the potential for abuse of
web browsers due to their FTP protocol implementation. This
vulnerability results in the web browser being used as a port
scanner. When the handling of the PASV FTP response by Mozilla
Firefox, Opera and KDE Konqueror the browser can be instructed to
connect to an arbitrary host and port.
IMPACT:
When this functionality is combined with Javascript it can allow a
malicious FTP server to initiate a port scan of an organisation's
internal network, via web browsers. A proof of concept
demonistrating many elements of this attack has been included with
the paper.
Internet Explorer is reported as not vulnerable to this issue.
MITIGATION:
Mozilla has acknowledged this vulnerability [2] and released Firefox
versions 2.0.0.3 and 1.5.0.11 correcting it. KDE have also
acknowledged this vulnerability [3] and made patches are available.
As yet, this issue has not been acknowledged by Opera.
A partial mitigation strategy may be the filtering of PASV responses
which direct clients away from an originating FTP server.
REFERENCES:
[1] Manipulating FTP Clients Using The PASV Command
http://bindshell.net/papers/ftppasv/ftp-client-pasv-manipulation.pdf
[2] Mozilla Foundation Security Advisory 2007-11
http://www.mozilla.org/security/announce/2007/mfsa2007-11.html
[3] KDE Security Advisory: KDE ioslave PASV port scanning vulnerability
http://www.kde.org/info/security/advisory-20070326-1.txt
AusCERT has made every effort to ensure that the information contained
in this document is accurate. However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.
If you believe that your computer system has been compromised or attacked in
any way, we encourage you to let us know by completing the secure National IT
Incident Reporting Form at:
http://www.auscert.org.au/render.html?it=3192
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQCVAwUBRgoKqCh9+71yA2DNAQIiYAP/T77eYz9mobE6KMPi7NQN07ROX6FlnECc
KYvckA+/k5lD7R9G2F6Tvr3K2QUcc6znB+A0427UQ+qeCLUfNxJhdXLZeLFHcRRU
CFWldk0xBXptjutEtMdQdxxMOv2Shjp+ukUWgB6JTdpDPP1LcXRJMx8At/LyZT6G
DixDNsDjymg=
=/40O
-----END PGP SIGNATURE-----
|