Sabahatten Gucukoglu has posted the details of a flaw in the Airport, Airport Extreme and Time Capsule products' Application Level Gateway (ALG) which handles the FTP Proxy between external FTP and internal NAT clients. The ALG provides seamless configuration with other Apple products and is used when using non-default port for services. With rearguards to FTP it allows servers behind a NAT to alter the address in the command channel, such as PORT, rewriting the command so clients can reach them when in passive mode.
This resulting configuration allows any actor that has access to the FTP port forwarded on the WAN port that offers NAT to internal clients (public FTP server) the ability to induce a FTP server operating on the NAT LAN to send data to arbitrary addresses and ports. It does not matter if the FTP server is configured securely since the ALG is where the flaw exist thus no level of trust exist at the end points. This can be leveraged in a host of attacks from bouncing scans, denial of service, spamming and data theft.
Sabahatten Gucukoglu has reported this issue to Apple but there has been no patch issued for seven weeks so he has made the information public. Problems in the ALG's of WiFi devices are an excellent attack vector. The public discloser does not include any firmware information and we have not confirmed it independently.
Using FTP opens a host of problems, users should avoid it since there are currently better alternatives. Workarounds includes not triggering the ALG by using the defaults ports especially for FTP, not using FTP, and disabling of FTP uploads that can be download by guest (anonymous) users. Due to the public discloser we expect Apple to release a firmware update with the patches coming out this month.