FTP Category Description
This SonicWALL IPS signature category consists of a group of signatures that can detect and prevent traffic related to attacks on FTP servers. FTP or File Transfer Protocol is the standard protocol used to transfer files across widely different operating systems. FTP servers usually require a lengthy login process to authenticate users before giving them to download or upload files. Attackers have found a variety of vulnerabilities in FTP server software that they can exploit to cause these servers to malfunction, allowing them to cirvumvent security mechanisms, take control of the server, or make the server crash resulting in a denial of service.
The most common attack on FTP servers is a buffer overflow attack. Attackers who have performed scan of the network's servers can guess whether the software handling FTP requests is patched to known vulnerabilities, and exploit an unchecked buffer by sending a malformed command to the server. For example, several FTP server versions are vulnerable to a specially crafted STAT command which is usually used to report the status of a connection, file, or directory. If the command includes an argument that is larger than 479 bytes, the program will write past the end of the allocated buffer, causing the server to crash or to execute code that the attacker included in the request. Buffer overflow attacks can effecitvely give attackers control of the compromised system.
Attackers also exploit vulnerabilities in FTP servers that involve mishandling of memory. For example, the SITE NEWER command is mishandled by the Washington University FTP Daemon (WU-FTPD), which fails to free memory when the command is executed, causing the server to crash.
Most other FTP attacks attempt to get the server to return information that it should not by using special characters in requests that make the machine behave in strange ways. A common directory traversal attack involves attackers using strings like '..' in requests that they submit to the server, causing certain server versions to return an arbitrary file that the attacker would usually not be able to access. Other attacks return the first line or arbitrary files or a core dump of the server program, which can often supply shadowed passwords. These attacks can allow attackers to corrupt or steal sensitive information, presenting a significant liability for companies that maintain an FTP server.
SonicWALL FTP signatures are classified from low- to high-priority. When enabled for prevention, these signatures can keep malicious commands from reaching FTP servers. It should be noted, however, that vendors have made patches and updates available to close the vulnerabilities in the above mentioned FTP server software. Administrators should use these patches and updates in conjunction with SonicWALL signatures to ensure maximum security for their FTP servers.