0

Hypothetically speaking, if an attacker finds an anonymous FTP login what's the worse they can possibly do other than the obvious impact of gaining access to the files via FTP?

schroeder
  • 123,438
  • 55
  • 284
  • 319
Jack
  • 1
  • 1
    Software (including FTP servers) might have bugs which can only be exploited after successful authentication. Depending on the server configuration not only read access but also write access might be possible, which can also be an attack vector. – Steffen Ullrich Mar 17 '22 at 15:55
  • I was thinking of something severe like RCE. For example, if the server supports PHP and if attacker has the ability to upload files, they could simply upload a PHP shell and access it via browser (Port 80 and 445 both are open), this could result into RCE. – Jack Mar 17 '22 at 16:06
  • 1
    A system could be created which is exploitable this way. This does not mean that such a system exists in reality - nor that it doesn't. Everything here is pure speculation which makes this a bad question in my opinion. – Steffen Ullrich Mar 17 '22 at 16:14
  • Because it appears that you have a specific idea and you appear to want to gather opinions based on imagination, this is too open-ended. – schroeder Mar 17 '22 at 18:03

1 Answers1

1

Off the top of my head:

FTP Bounce attack:

An FTP protocol has a peculiarity called "Active FTP mode". It is rarely used today, but the servers generally support it.

An FTP client can instruct the server in active mode to open a second connection to a particular address and port and start sending data. This connection is intended to carry the actual files transferred between the server and the client, or even between two servers.

The protocol allows the client to specify an arbitrary address and port.

This can be abused to send a great deal of traffic towards some third-party address from the IP address of the server (i.e. hiding the attacker). If the server has good net connectivity, this amounts to Denial of Service (DoS) attack. If more than one FTP server is available, the attack becomes DDoS.

I think modern-ish FTP servers have most of these "features" disabled by default, but on the other hand, FTP-related things are obsolete and generally overlooked so a vulnerable servers are left here and there.

fraxinus
  • 3,425
  • 5
  • 20