Sunday, October 30, 2011

AUTH TLS + FEAT

I ran across a vulnerability a little while ago that was rather interesting. FTP/FTPS has a "FEAT" or Features command that can be passed to the server in order to find out what features are available. But with FTPS this should only work "After" you are authenticated.

Nessus reported the issue but gave the following output for steps to duplicate: 
Nessus sent the following two commands in a single packet :

AUTH TLS\r\nFEAT\r\n

And the server sent the following two responses :

234 AUTH command ok. Expecting TLS Negotiation.
211-Extended features supported:
LANG EN*
UTF8
AUTH TLS;TLS-C;SSL;TLS-P;
PBSZ
PROT C;P;
CCC
HOST
SIZE
MDTM
211 END
Now, I may not be the smartest person when it comes to telnet but I am pretty sure you are not able to pass '\r\n' into a telnet session. After making a few attempts my suspicions were confirmed and I was left wondering what it was I needed to do to get the command to execute properly.

I turned to google for help and found a forum that answered my question: control character for 'return'/'enter' = ^J. By using ^J I was able to insert a 'return' but not have the return executed until after I physically hit the return button when I was done with the commands I wanted to execute.

testing:~ hyrum$ telnet www.testsite.com 21
Trying 1.2.3.4...
Connected to www.testsite.com.
Escape character is '^]'.
220 Microsoft FTP Service
AUTH TLS^JFEAT
234 AUTH command ok. Expecting TLS Negotiation.
211-Extended features supported:
 LANG EN*
 UTF8
 AUTH TLS;TLS-C;SSL;TLS-P;
 PBSZ
 PROT C;P;
 CCC
 HOST
 SIZE
 MDTM
211 END
By inserting ^J after the 'AUTH TLS' it was possible to add the FEAT command which according to the rftc (rfc4217) if you pass the FEAT command to the server the server must respond with the available features:

"If a server supports the FEAT command, then it MUST advertise supported AUTH, PBSZ, and PROT commands in the reply, as described in section 3.2 of [RFC-2389]."


It ended up being that simple. Control Characters really do come in handy sometimes. So, the next time you want to pass two commands while in a telnet session don't forget about ^J.
Posted by Hyrum

5 comments:

  1. UnknownJuly 24, 2013 at 6:23 AM

    Hey buddy, how do i get the green text on the black backround in the grey boarder like you do?

    i have the same theme and not sure how to do this.

    thanks :)

    leonteale89[at]gmail.com

    ReplyDelete
    Replies
    1. HyrumJuly 25, 2013 at 8:16 AM

      This comment has been removed by the author.

      Delete
    2. HyrumJuly 25, 2013 at 8:24 AM

      Wow... To tired. Sorry for deleting the first reply.

      Inside the Template you can edit the <pre> tag to be the following:

      pre {
      border-style:solid;
      border-color: gray;
      background-color: #000103;
      color: #00F94F;
      font-family: consolas;
      font-size: 12px;
      }

      Delete
  2. UnknownJuly 21, 2014 at 2:14 PM

    You can also avoid using telnet and pass that string through echo and pipe it to ncat

    echo -e "AUTH TLS\r\nFEAT\r\n" | ncat -C -v ipadress port

    :)

    ReplyDelete
    Replies
    1. HyrumJuly 21, 2014 at 3:49 PM

      If I ever run across this again, hopefully never, I will have to give this a try.

      Delete

Subscribe to: Post Comments (Atom)