Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

ncftpd.txt

🗓️ 17 Aug 1999 00:00:00Reported by sw3Type 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 58 Views

NcFTPd FTP server allows unauthorized data transmission, enabling spoofing and DoS attacks.

Code
`  
Proof of Concept - Security Advisory 02/16/99  
http://poc.csoft.net Released by  
[email protected] [email protected]  
  
---  
  
Affected Program NcFTPd <http://www.ncftp.com>  
Description FTP server (commercial)  
Severity Can port anywhere / spoof  
  
  
Synopsis:  
  
NcFTPd is a commercial FTP (File Transfer Protocol) server, in the  
NcFTP product line. The source code is not publicly released.  
  
Overview:  
  
To initiate a FTP transfer, there must be two connections, one  
control connection (server's ftp port), and one data connection.  
When a client wants to tell the server where to send the data (ie.  
a file you want to download, or a directory listing), it must use  
the command PORT - in which the destination address and port is  
specified.  
  
Problem:  
  
NcFTPd does not check that the destination PORT address is the  
user's IP. This means anybody can transmit data from the server  
anywhere, anonymously. Obviously this can lead to potential  
'easy' DoS attacks and spoofing (say, someone uploads a file  
containing commands of something to incoming, PORT to some host/port,  
and use RETR (retrieve file)). Such connections are possible  
with the default NcFTPd configuration, but can be disallowed:  
general.cf> allow-outgoing-proxy-data-connection-ports-below-1024 - no  
general.cf> allow-proxy-connections - no  
  
I made an example program that listens on a port and dumps  
arbitrary received data in string, hex or ascii/hex format -  
[http://poc.csoft.net/code/listerine/listerine.tar.gz]  
  
Example:  
  
evil:$ telnet victim ftp # victim runs NcFTPd  
user anonymous # anonymous is up by default  
pass some@thing  
port 192,168,0,1,5,131 # connect on port 1411  
retr incoming/stuff # send arbitrary data, as it  
# was coming from host victim.  
  
To see for yourself, you can run my example program `listerine', on  
the host victim. I tested this on my LAN and on remote machines too.  
  
  
Status:  
  
Got response from authors, the problem can be fixed indeed with  
the general.cf options mentionned above, but are not enabled with  
default configuration.  
  
.sw3  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
17 Aug 1999 00:00Current
7.4High risk
Vulners AI Score7.4
ncftpdftp serversecurity advisorydata transmissionunauthorized accessspoofingdos attacks
58