Security Best Practice: Protect Yourself against FTP Format Strings Attacks
| Check Point Reference: | SBP-2007-06 | |
| Date Published: | ||
| Severity: | ||
| Last Updated: | ||
| Source: | ||
| Protection Provided by: |
VPN-1
|
|
| Who is Vulnerable? FTP Servers | ||
| Vulnerability Description The File Transfer Protocol (FTP) is used to connect computers over the Internet enabling file transferring between their users. FTP format string attacks are a common threat on vulnerable systems. Format string attacks can be used to crash a program or to execute malicious code. Successful format string attack will compromise a target system. |
||
|
Vulnerability Details Remote exploitation of a format string vulnerability could allow server crash or execution of arbitrary code. Format string is a way of telling the C compiler how it should format numbers when it prints them. A number of functions accept a format string as an argument. A remote attacker could include a crafted request within a certain function to crash the server or cause it to execute arbitrary code. |
Protection Overview
By enabling this protection, SmartDefense will detect and block special format string characters within FTP commands.
In order for the protection to be activated, update your VPN-1/InterSpect/Connectra product to the latest SmartDefense update. For information on how to update SmartDefense, go to SBP-2006-05, Protection tab and select the version of your choice.
To configure the defense, select your product from the list below and follow the related protection steps.
VPN-1 NGX R65 & R62
How Can I Protect My Network? Block Format String Attacks
1. In the SmartDefense tab, click Application Intelligence > FTP > FTP Patterns. 
2. In the configuration pane, under Settings > Mode, check Active.
3. Select the following protection:
4. Install security policy on all modules.
How Do I Know if My Network is Under Attack?
SmartView Tracker will log the following entries:
Attack Name: FTP Patterns Protection Violation
Attack Information: Suspicious format string detected
VPN-1 NGX R61 & R60
How Can I Protect My Network? Block Format String Attacks 3. Install security policy on all modules.
1. In the SmartDefense tree, click Application Intelligence > FTP > and select FTP Patterns.
2. In the configuration pane, select the following protection:
How Do I Know if My Network is Under Attack?
SmartView Tracker will log the following entries:
Attack Name: FTP Patterns Protection Violation
Attack Information: Suspicious format string detected
InterSpect NGX
How Can I Protect My Network? Block Format String Attacks
1. In the left pane, select Profiles > Default Protection and select the SmartDefense page of the profile.
2. In the SmartDefense tree, click Application Intelligence > FTP > FTP Patterns.
3. In the configuration pane, select the following pattern:
How Do I Know if My Network is Under Attack?
SmartView Tracker will log the following entries:
Attack Name: FTP Patterns Protection Violation
Attack Information: Suspicious format string detected
Connectra NGX R61/R62
How Can I Protect My Network?
1. In the left-hand menu, click Security > SmartDefense > Application Intelligence.
2. In the Dynamic Attacks pane, select the following:
Block Format String Attacks
3. Install policy on all modules.
How Do I Know if My Network is Under Attack?
Upon attack, the following entries will be logged:
Attack Name: FTP Patterns Protection Violation
Attack Information: Suspicious format string detected