Chapter 63 FTP and HTTP The Art of Serving Files and Content. D 7 eep L ay Se er s “And bring me a hard copy of c o the Internet so I can do some V f I i serious surfing.” e n nn sec a 2007 urity -- Scott Adams Copyright Information Some rights reserved / Einige Rechte vorbehalten Michael Kafka, René Pfeiffer, Sebastian Mayer C.a.T. Consulting and Trainings, Vienna, Austria You may freely use, distribute and modify this work under following D agreement: 7 eep Diese Arbeit darf frei genutzt, verbreitet und bearbeitet werden unter L folgenden Bedingungen: ay Se Authors must be referenced (also for modification) er s Autoren müssen genannt werden (auch bei Bearbeitung) c o V Only for non commercial use f I i Nur für nichtkommerzielle Nutzung e n nn Derivative work under same licence sec Derivative Arbeit unter selber Lizenz a 2007 urity http://www.creativecommons.com © November 2007 63 - FTP and HTTP Chapter 63 FTP and HTTP Agenda FTP Overview HTTP Overview D 7 eep HTTP Attacks L ay Se WebDAV er s c Tunneling o V f I i e n nn sec a 2007 urity © November 2007 63 - FTP and HTTP File Transfer Protocol (FTP) Historical File Transfers. D 7 eep L ay Se er s c o V f I i e n nn sec a 2007 urity © November 2007 63 - FTP and HTTP FTP Overview Born with RFC 114 in 1971, older than TCP FTP uses three modes active FTP, passive FTP and D 7 eep extended passive FTP L ay Se FTP uses two TCP connections er s c Command channel 21/TCP o V f I i Data channel 20/TCP, dynamic/TCP e n nn sec a 2007 urity © November 2007 63 - FTP and HTTP FTP Properties FTP transmissions are unencrypted Important for logins/passwords Anonymous mode for serving data D 7 eep Higher latency because of commands L ay Se No integrity check of transmitted files er s c FTP adds complexity to filters o V f I i e n nn sec a 2007 urity © November 2007 63 - FTP and HTTP Anonymous FTP Anonymous FTP is used frequently No login, no password Any login will do D 7 eep Polite users use e-mail as password L ay Se Writable anon FTP servers are dangerous er s c Abuse as file deposit possible o V f I i Fix: anonymous ≠ writable e n nn sec a 2007 urity © November 2007 63 - FTP and HTTP File eXchange Protocol (FXP) Client C → Server A Client C → Server B D 7 C→A : Connect C→B : Connect eep L C→A : PASV ay A→C : 227 Entering Passive Mode. Se er A1,A2,A3,A4,a1,a2 s C→B : PORT A1,A2,A3,A4,a1,a2 c o B→C : OK V f I i C→A : STOR C→B : RETR e n nn sec B→A : Connect to Server A, port a a 2007 urity © November 2007 63 - FTP and HTTP Trivial File Transfer Protocol (TFTP) Adding Triviality may create Insecurity. D 7 eep L ay Se er s c o V f I i e n nn sec a 2007 urity © November 2007 63 - FTP and HTTP TFTP Overview TFTP uses 69/UDP for data transmission TFTP uses no encryption TFTP reads/writes files D 7 eep No commands L ay Se No directory listings er s c No authentication o V f I i TFTP supplies own transport and session e n nn Single file transfers (one at a time) sec a 2007 Lock-step mode urity © November 2007 63 - FTP and HTTP TFTP Security TFTP server often carry boot information Initial configurations Boot images D 7 eep TFTP don't support directory listings L ay Se Scanning nevertheless possible er s c Brute-force file requests o V f I i Implementation bugs e n nn Long file names, packet floods, … sec a 2007 Risk: medium Impact: medium urity © November 2007 63 - FTP and HTTP HyperText Transfer Protocol Let's just Call It The Web. D 7 eep L ay Se er s c o V f I i e n nn sec a 2007 urity © November 2007 63 - FTP and HTTP HTTP Overview Stateless request/response protocol Request type Header information D 7 eep Data (request/response body) L ay Se Response carries status code er s c HTTP assumes reliable transport o V f I i TCP/IP is common e n nn Can be used with other protocols sec a 2007 urity © November 2007 63 - FTP and HTTP Common HTTP Methods HEAD GET POST D 7 eep PUT L ay Se DELETE er s c TRACE o V f I i OPTIONS e n nn CONNECT sec a 2007 urity © November 2007 63 - FTP and HTTP HTTP Authentication HTTP offers “built-in” authentication Basic access authentication Server asks for password to realm D 7 eep Client answers with BASE64 “encryption” L ay Se Digest access authentication er s c Server asks for challenge o V f I i Client must create a suitable response e n nn Challenge/response uses MD5 hashes sec a 2007 urity © November 2007 63 - FTP and HTTP Breaking Authentication Basic authentication BASE64 is next to no challenge Brute-force passwords, sniffing D 7 eep Digest authentication L ay Se Brute-force with sniffed nonce/response er s c MITM attack with brute-force o V f I i Risk: medium e n nn Impact: medium/high sec a 2007 urity © November 2007 63 - FTP and HTTP HTTP Response Splitting Trick web application with %0a and %0d Target redirect scripts Insert CR and LF (%0a, %0d) D 7 eep Add a second HTTP header L ay Se Overwrite first header information er s c User sees different web page o V f I i Caches might store different content e n nn Risk: medium Impact: medium sec a 2007 urity © November 2007 63 - FTP and HTTP HTTP Request Smuggling Create a HTTP request, send it to proxy Embed second HTTP request in header Check if intermediate system works correctly D 7 eep SunOne Proxy 3.6 (SP4) doesn't L ay Se FW-1/FP4-R55W β doesn't er s c Fw/IPS/IDS evasion o V f I i Cache poisoning e n nn Risk: medium sec a 2007 Impact: medium urity © November 2007 63 - FTP and HTTP WebDAV Web-based Distributed Authoring and Versioning. D 7 eep L ay Se er s c o V f I i e n nn sec a 2007 urity © November 2007 63 - FTP and HTTP WebDAV Overview WebDAV enables reading & writing to server Used for collaborative editing Other extensions exist D 7 eep WebDAV adds methods to HTTP L ay Se PROPFIND, MKCOL, COPY, LOCK, … er s c WebDAV clients use permissions of server o V f I i Important for WebDAV-enabled “shares” e n nn Shares mustn't overlap with web space sec a 2007 urity © November 2007 63 - FTP and HTTP WebDAV Attacks mod_dav keeps request bodies in memory Possible memory exhaustion LimitXMLRequestBody directive D 7 eep PROPFIND causes directory walks L ay Se Memory/CPU exhaustion er s c Disallow ∞ depth requests o V f I i WebDAV allows file sharing e n nn Disk space exhaustion sec a 2007 urity © November 2007 63 - FTP and HTTP WebDAV Network Traffic Protect WebDAV access by authentication such as digest auth by encryption such as SSL/TLS D 7 eep by limiting exposed directories on server L ay Se by limiting HTTP methods er s c Inspect HTTP headers o V f I i Use layer 7 proxy e n nn Monitor & analyse for anomalies sec a 2007 urity © November 2007 63 - FTP and HTTP HTTP Tunneling Hyper Text Tunneling Protocol. D 7 eep L ay Se er s c o V f I i e n nn sec a 2007 urity © November 2007 63 - FTP and HTTP Firewall Enhancement Protocol (FEP) Internet Transparency via the end-to-end architecture of the Internet has allowed vast innovation of new technologies and services [1]. However, recent developments in Firewall technology have altered this model and have been shown to inhibit innovation. We propose the Firewall Enhancement Protocol (FEP) to allow innovation, without D violating the security model of a Firewall. With no cooperation from 7 eep a firewall operator, the FEP allows ANY application to traverse a L Firewall. Our methodology is to layer any application layer ay Transmission Control Protocol/User Datagram Protocol (TCP/UDP) Se packets over the HyperText Transfer Protocol (HTTP) protocol, since er s HTTP packets are typically able to transit Firewalls. c o V rst f I -- RFC 3093, 1 April 2001 i e n nn sec a 2007 urity © November 2007 63 - FTP and HTTP HTTP Tunneling HTTP is very proxy-friendly Many protocols use it as tunnel CONNECT method provides TCP/IP D 7 eep HTTP transports all things binary L ay Se Ideal for piercing firewalls er s c Works through proxies o V f I i Mediator web server connects from end-point e n nn sec a 2007 urity © November 2007 63 - FTP and HTTP HTTP Tunnel Tools GNU httptunnel htc/hts, work without web server JHTTPtunnel D 7 eep Java implementation L ay Se Think mobile clients er s c HTTPtunnel - in PHP/Perl o V f I i e n nn sec a 2007 urity © November 2007 63 - FTP and HTTP Chapter 62 FTP and HTTP Summary . Use FTP servers with caution.