False report / improvement suggestion for ftpd_no_cmd.nasl

I’m getting some of what I think are false results from ftpd_no_cmd.nasl. I have access to some Kronos 4500 time clocks that use VxWorks ftpd. The give a banner upon login, which looks like this:

220 Tornado-vxWorks (VxWorks5.5.1) FTP server ready

I am able to login to the ftp server and retrieve files using the default credentials for these devices, but they keep showing up with this result:

Fake FTP server does not accept any command OID: 1.3.6.1.4.1.25623.1.0.80064

Other than ftpd_no_cmd.nasl and ftp_func.inc where else could I look to find this issue?

1 Like

Thanks for your posting.

We’re already aware that this 3rdparty VT is flagging some valid but specific FTP services (including the one posted) wrongly and improvements for it are already planned (but not scheduled yet).

If you still want to have a look on your own i can see that the VT is sending the following requests to the FTP service:

HELP

and

USER ftp

with a retry count of 3 and is flagging the service if one of the request is failing. You can have a look manually how the mentioned service is answering to these requests if these are sent manually to it.

2 Likes

That’s it…

ftp> HELP
?Invalid command
ftp> USER ftp
?Invalid command
ftp> quit
1 Like

In this specific case, it’s because the FTP server is expecting the commands in lower-case.
Using “help” and “user ftp” both came back with expected results.

1 Like

As @_ad said, these Kronos things are fragile. FTP commands are not supposed to be case sensitive. Indeed, way back in RFC959, it is stated:

Upper and lower case alphabetic characters are to be treated identically.
1 Like

Gonna test this today with a “tolower()” function in it, just to validate. I don’t think that’s a great solution, but I just want to know what it will show in the scanner.

2 Likes

Okay, using this block of nasl, which I modified slightly from the original, it seems to work:

###############################################################################
# OpenVAS Vulnerability Test
# $Id: ftpd_no_cmd.nasl 11018 2018-08-17 07:13:05Z cfischer $
#
# Fake FTP server does not accept any command
#
# Authors:
# Michel Arboi <mikhail@nessus.org>
#
# Copyright:
# Copyright (C) 2008 Michel Arboi
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License version 2,
# as published by the Free Software Foundation
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
###############################################################################

if(description)
{
  script_oid("1.3.6.1.4.1.25623.1.0.80064");
  script_tag(name:"cvss_base_vector", value:"AV:N/AC:L/Au:N/C:N/I:N/A:N");
  script_version("$Revision: 11018 $");
  script_tag(name:"last_modification", value:"$Date: 2018-08-17 09:13:05 +0200 (
Fri, 17 Aug 2018) $");
  script_tag(name:"creation_date", value:"2008-10-24 23:33:44 +0200 (Fri, 24 Oct
 2008)");
  script_tag(name:"cvss_base", value:"0.0");
  script_name("Fake FTP server does not accept any command");
  script_category(ACT_GATHER_INFO);
  script_family("FTP");
  script_copyright("This script is Copyright (C) 2008 Michel Arboi");
  script_dependencies("find_service.nasl", "find_service_3digits.nasl");
  script_require_ports("Services/ftp", 21);

  script_tag(name:"insight", value:"The remote server advertises itself as being
 a FTP server, but it does
  not accept any command, which indicates that it may be a backdoor or a proxy.
  Further FTP tests on this port will be disabled to avoid false alerts.");
  script_tag(name:"summary", value:"The remote FTP service is not working propery");

  script_tag(name:"qod_type", value:"remote_banner");

  exit(0);
}

include('global_settings.inc');
include('misc_func.inc');
include('ftp_func.inc');

port = get_ftp_port( default:21 );

soc = open_sock_tcp( port );
if( ! soc ) exit( 0 );

r = ftp_recv_line( socket:soc, retry:3 );
if( ! r ) {
  debug_print('No FTP welcome banner on port ', port, '\n');
  set_kb_item( name:"ftp/" + port + "/no_banner", value:TRUE );
  ftp_close( socket:soc );
  exit( 0 );
}
debug_print( level:2, 'Banner = ', r );

if( r =~ '^[45][0-9][0-9] ' || match( string:r, pattern:'Access denied*', icase:
TRUE ) ) {
  log_print( level:1, 'FTP server on port ', port, ' is closed\n' );
  set_kb_item( name:"ftp/" + port + "/denied", value:TRUE );
  ftp_close( socket:soc );
  exit( 0 );
}

# Not QUIT, as some servers close the connection without a 2xx code

# FIX: Changed this to use tolower() function
#         because the FTP service violates RFC959 and expects only lowercase commands
foreach cmd( make_list(tolower('HELP'), tolower('USER ftp')) ) {
  display('Sending command: ' + cmd);
  send( socket:soc, data:cmd +'\n');

  # FIX: Changed this line from ftp_recv_line to recv
  #         because the FTP service was returning multiple lines, not just one.
  r = recv( socket:soc, length:1024 );
  display('Banner = ', r);
  if( r !~ '[1-5][0-9][0-9][ -]') {
    debug_print( 'FTP server on port ', port, ' answer to ', cmd, ': ', r );
    log_message( port:port );
    set_kb_item( name:"ftp/" + port + "/broken", value:TRUE );
    close( soc );
    exit( 0 );
  }
  debug_print( level:2, 'FTP server on port ', port, ' answer to ', cmd, ': ', r
 );
}

close( soc );
exit( 0 );
2 Likes

Thanks for digging into this topic and providing the additional info.

It might always happen that some specific services are not complying with a RFC and only accepting the “lowercase” variants of the commands explain the seen message / wrong flagging of the service.

The provided info will definitely help once we’re tackling the update of that specific VT. Stay tuned, the update will happen in the next few weeks and i will post the info here once it was done.

3 Likes

This was indeed the problem i had noticed as well while getting a hand on such devices and implementing some updates.

The mentioned VT has been updated and submitted to our SCM today so that it handles such services in a more reliable way and with improved output in the case it is hitting a service not answering as expected.

Testing / feedback is very welcome.

Based on my tests the “lowercase” wasn’t a problem (at least with the current / now updated ftpd_no_cmd.nasl) because the service seems to accept both (upper and lowercase), this is also confirmed by the following:

Those “Invalid command” are coming from the ftp client, not from the FTP service itself.

2 Likes

Yep, that seals it. I’m a dork. The change from ftp_recv_line to recv fixed the issues I saw. Don’t know why I was thinking it was upper- vs. lower-case.

1 Like