Bugtraq mailing list archives
Re: FireWall-1 FTP Server Vulnerability
From: bozo () SZIVARVANYNET HU (Borbely Zoltan)
Date: Wed, 16 Feb 2000 02:35:05 +0100
On Mon, Feb 14, 2000 at 07:32:54PM -0600, monti wrote: [...snip...]
I dont really think the issue is with 'how' the PASV response and packet appears on the wire, but with the Firewall's logic in creating a hole for PASV ftp data connections. I think the firewall should probably be a bit more strict about how it makes the decision to open the PASV hole and follow rules like the following: First watch for: client -> ftp-server "PASV" which triggers the firewall to look for this immediately afterwards: client <- ftp-server "227 Entering Passive Mode (xxx,xxx,xxx,xxx,prt,prt) If any other statement is seen from client or server, before the presence of the 227 port declaration, the attempt is ignored.
This solution can't block the exploit. In the following case: C -> S "STAT -1" S -> C "." S -> C ".." C -> S "PASV" S -> C "227 Entering..." I know, this is against the RFC, but the SPF firewalls can misinterpret the whole situation. The time frame of the successful attack is very small, but maybe you can try to close the send window of the server. Maybe it works, but this is just theory. Zoltan BORBELY
Current thread:
- Re: FireWall-1 FTP Server Vulnerability Lars.Troen () MERKANTILDATA NO (Feb 12)
- Re: FireWall-1 FTP Server Vulnerability Alexandru Popa (Feb 14)
- Re: FireWall-1 FTP Server Vulnerability monti (Feb 14)
- Re: FireWall-1 FTP Server Vulnerability Henrik Nordstrom (Feb 15)
- DDoS whitepaper Bennett Todd (Feb 17)
- Re: FireWall-1 FTP Server Vulnerability Mikael Olsson (Feb 17)
- Re: FireWall-1 FTP Server Vulnerability Emiliano Kargieman (Feb 18)
- Patch Available for "Site Wizard Input Validation" Vulnerability Microsoft Product Security (Feb 18)
- Re: FireWall-1 FTP Server Vulnerability Dug Song (Feb 18)
- Re: FireWall-1 FTP Server Vulnerability Henrik Nordstrom (Feb 15)
- Re: FireWall-1 FTP Server Vulnerability Borbely Zoltan (Feb 15)
- Re: FireWall-1 FTP Server Vulnerability monti (Feb 17)
- Re: FireWall-1 FTP Server Vulnerability Peter Benie (Feb 16)
- Re: FireWall-1 FTP Server Vulnerability Nick FitzGerald (Feb 17)
- ANN: Bruce 1.0ea2: Networked Host-Vulnerability Scanner for Solaris & Linux Alec Muffett (Feb 17)
- <Possible follow-ups>
- Re: FireWall-1 FTP Server Vulnerability der Mouse (Feb 17)
- Re: FireWall-1 FTP Server Vulnerability chess () US IBM COM (Feb 18)