‘Manipulating FTP Clients Using the PASV Command’
‘The information has been provided by mark.
The original article can be found at: http://bindshell.net/papers/ftppasv/ftp-client-pasv-manipulation.pdf‘
‘Vulnerable FTP Clients:
The following web browsers have been found to respond to malformed PASV responses in the way described above:
* Firefox 22.214.171.124
* Firefox 126.96.36.199
* Opera 9.10
* Konqueror 3.5.5
Several command line FTP clients have also been found to be vulnerable. However as the vendors have not been notified (and the author cannot think of an interesting way of exploiting command line clients), they have been omitted from this paper.
Immune FTP Clients
The following web browsers seem to ignore the IP address returned in PASV responses. They simply connect to the IP address to which the original control connection (21/TCP) was made:
* Microsoft Internet Explorer 7.0.5730.11
* Microsoft Internet Explorer 6.0.3790.0
FTP Client Implementation Flaw
* Scan ports which modern browsers would not normally connect to [portban]
* Fingerprint services which do not send a banner by timing how long the server takes to terminate the connection
* Perform simple banner grabbing to identify services running on other hosts
No response was provided by either Mozilla or Opera.
KDE responded and discussed both issues. However, they have yet to be convinced of the severity of the FTP PASV Vulnerability. Unfortunately, providing POC to demonstrate banner grabbing was made harder (impossible?) by the crash during the reading of child FTP iframes. KDE have reproduced the crash and produced a patch [konqcrash].’