GVfs FTP Backend Information Disclosure Vulnerability via Untrusted PASV Responses

A vulnerability exists in the FTP backend of GVfs, where the client blindly trusts the IP address and port provided by a malicious FTP server in its passive mode (PASV) response. This flaw allows the server to probe for open ports on the client's network. The issue arises because the GVfs FTP backend does not validate that the advertised IP matches the control connection or restrict private/internal addresses, enabling potential exploitation.

Impact

Exploitation of this vulnerability could lead to unauthorized probing of open ports on the client's network, creating a risk of information disclosure or allowing access to internal services.

Reproduction

To reproduce this vulnerability, connect to an FTP server that can be controlled or manipulated to send arbitrary IP addresses and ports in its PASV response. The GVfs FTP backend will accept this information without validation and attempt to connect to the specified endpoint, probing for open ports accessible from the client's network.

Remediation

Users are advised to avoid connecting to untrusted or unknown FTP servers when using applications that rely on the GVfs FTP backend.