NTA Monitor

Latest News

Will IE6 be the next NT4?

1st October 2009 All penetration testers will remember the long tail of Windows NT 4.0, and how this operating system continued to be used long past the point when security updates stopped at the end of 2004. For many years the presence of an unpatchable NT4 server was a common issue in a penetration test report, and it is only now, almost five years after security support ended, that finding an NT4 system on a network is becoming a rare event. Read More

One in four web applications susceptible to high risk security flaws

7th September 2009 NTA Monitor has reported a 10% increase in the total number of web applications found to have at least one high-risk security issue... Read More

Organisations facing a changing threat landscape

20th July 2009 According to NTA Monitor's 2009 Annual Security Report, the average number of Internet security vulnerabilities is on the rise... Read More

The Return of the Insider Threat

1st July 2009 When NTA started security testing twelve years ago, the main focus was on the insider threat. There were many reports with statistics showing that most security breaches were due to insiders. By contrast there was very little focus on the external threat via Internet and third-party network links. Back then many companies did not even have a firewall. Read More

NTA discover Raptor Firewall vulnerability

NTA discover Raptor Firewall vulnerability

NTA Monitor has discovered a vulnerability in the latest version of the Raptor Firewall, 6.5.3i operating on Sun Solaris. The flaw can make an FTP server behind the Firewall vulnerable to the well-known FTP bounce attack even if the FTP server is itself not vulnerable to this issue.

NTA Monitor discovered the issue in the course of a Regular Monitor penetration test performed for a corporate client. NTA's test report detailed the system's vulnerability to the FTP bounce attack, which upon further investigation was found to be caused by the Firewall rather than the FTP server . See packet traces below.

tcpdump packet trace - hacker system tcpdump packet trace - ftp server tcpdump packet trace- victim system

The FTP bounce attack, involves a hostile client system connecting to an FTP server and tricking it into sending data to a 3rd party system, the "victim" rather than back to the connecting client. Most modern FTP servers safeguard against this well known problem, by preventing a client from specifying an IP address, other than the one used to connect.

The Raptor issue occurs when the Firewall FTP proxy is used for inbound FTP connections. When handing connections to the FTP server, the Firewall proxy re-writes the IP address in the FTP PORT command, in such a way that it appears to specify the connecting client's IP address. This occurs even if the IP address in the PORT command specifies a victim system. When the FTP server sends data to this port, the Firewall changes the address back to that of the victim on the way out.

[diagram]

The FTP server has no way of detecting the FTP bounce attack because the addresses are rewritten so that they appear to reference the client system. It will therefore unknowingly send data to a victim system if requested by a hostile client.

This is a rare example of a Firewall increasing the vulnerability of a system. In the worst case, the Frewall may provide an inadequate level of defence but a Firewall should never have a detrimental effect on security.

The primary implication of this vulnerability, is the ability for a hacker to use an organisation's system as a vehicle to attack a victim system, whilst completely hiding their identity. Possible attacks include port scanning and sending of unsolicited data to arbitrary ports on the victim system.

The vulnerability has been posted on Bugtraq http://online.securityfocus.com/archive/1/267784

NTA Monitor are offering a specific test to check for vulnerability to this flaw visit here for more information.

This advisory was first released on 30th January 2003.