FTP bounce vulnerability

Found a bug in "Everything"? report it here
bobm
Posts: 7
Joined: Fri Aug 21, 2015 11:27 am

FTP bounce vulnerability

Postby bobm » Wed Nov 29, 2017 10:57 am

My installation of Everything, Version 1.3.4.686 (x64), has been flagged by as being vulnerable to the FTP bounce exploit. It is classed as "Severe".

Has this been fixed in later versions?

void
Site Admin
Posts: 3631
Joined: Fri Oct 16, 2009 11:31 pm

Re: FTP bounce vulnerability

Postby void » Wed Nov 29, 2017 11:07 am

This is only an issue if you have the FTP server running, which is disabled by default.

It is more of a design flaw with the FTP protocol, than with Everything itself.

The issue affects all version of Everything.

If this issue concerns you, please keep your FTP server disabled:
  • In Everything, from the Tools menu, click Options.
  • Click the ETP/FTP Server tab on the left.
  • Uncheck Enable ETP/FTP Server.
  • Click OK.

To disable and hide the ETP/FTP server feature in Everything:
  • Exit Everything (right click the Everything system tray icon and click Exit)
  • Open your Everything.ini in the same location as your Everything.exe
  • Change the following line:
    allow_etp_server=1
    to:
    allow_etp_server=0
  • Save changes and restart Everything.

I'll add an option in future releases of Everything to disable the PORT command.

https://en.wikipedia.org/wiki/FTP_bounce_attack

bobm
Posts: 7
Joined: Fri Aug 21, 2015 11:27 am

Re: FTP bounce vulnerability

Postby bobm » Wed Nov 29, 2017 11:26 am

Thanks.

I need to keep the FTP server running to answer requests from other users.

Will disabling the PORT command eliminate the vulnerability whilst allowing the FTP server to continue operating?
Or can it be configured to only allow other clients access to my server?

void
Site Admin
Posts: 3631
Joined: Fri Oct 16, 2009 11:31 pm

Re: FTP bounce vulnerability

Postby void » Fri Dec 01, 2017 5:23 am

I've added the ini option ftp_check_data_connection_ip to Everything 892.

When enabled, Everything will only allow data connections that have the same host as the control connection.

This setting will be enabled by default and prevent the FTP bounce vulnerability.

I've also added the ini option ftp_allow_port to completely disable the port command.


Will disabling the PORT command eliminate the vulnerability whilst allowing the FTP server to continue operating?


Yes, ftp_allow_port (when set to 0) and ftp_check_data_connection_ip (when set to nonzero) options will both prevent the FTP bounce vulnerability.

Or can it be configured to only allow other clients access to my server?


There is no per client control, it will either be on or off. The clients will most likely use the same data connection host as the control connection host, so this shouldn't effect any existing clients. If a client does want to specify a different data connection host you will need to disable the ftp_check_data_connection_ip ini setting.


Return to “Bug report”