Fuzzing FTP Servers
Sad as it is, I had no plans for the bank holiday weekend. The weather wasn’t great and I wasn’t very motivated to do anything outside the house (I think they have a name for that, agoraphobia?). I fired up VMWare Fusion, installed XP and downloaded a shed load of FTP servers and started fuzzing. Let me just state now that I am no expert fuzzer, in fact the purpose of this post is report not only the final results but also the journey that I took to get there.
I had two choices open to me, write my own fuzzer or use something off the shelf. Well, I wanted results quickly so I picked InfigoFTP Stress Fuzzer and dusted off trusty old Metasploit.
FTP Servers Tested
Quick n Easy FTP Server
Xlight FTP Server
Golden FTP Server
Sysax FTP Server
Cerberus FTP Server
So what are you actually testing?
To start with I just wanted to see how susceptible the servers were to crashing when provided with dubious data. It was only after actually doing the testing that I hasn’t really set an objective. This lead to me only really testing the servers ability not to crash.
When fuzzing, the biggest limitation is time. There is an infinite number of combination’s of commands and parameters which can be sent to the FTP server.
Of the two fuzzers I used neither looked at the server responses. If I was looking for directory traversal or authentication bypass attacks I would have to use a different tool or code something myself.
1 – You have to define the objective of your fuzzing. Is it to find an exploit for remote code execution or DOS or to find authentication bypass vulnerability?
2 – The majority of the servers I tested were fairly robust.
4 – There was lots of inconsistency with regards to implementing the FTP RFC.
5 – There was a massive difference in the specific commands which the FTP servers implemented.
6 – Most of the servers would drop connections if an invalid command was entered rather than producing an error message.
7 – Overall the testing took a lots of time.