Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Re: FireWall-1 FTP Server Vulnerability

From: bozo () SZIVARVANYNET HU (Borbely Zoltan)
Date: Wed, 16 Feb 2000 02:35:05 +0100

On Mon, Feb 14, 2000 at 07:32:54PM -0600, monti wrote:
[...snip...]


I dont really think the issue is with 'how' the PASV response and packet
appears on the wire, but with the Firewall's logic in creating a hole for
PASV ftp data connections. I think the firewall should probably be a bit
more strict about how it makes the decision to open the PASV hole and
follow rules like the following:

First watch for:
client -> ftp-server "PASV"

which triggers the firewall to look for this immediately afterwards:
client <- ftp-server "227 Entering Passive Mode (xxx,xxx,xxx,xxx,prt,prt)

If any other statement is seen from client or server, before the presence
of the 227 port declaration, the attempt is ignored.


This solution can't block the exploit. In the following case:

C -> S "STAT -1"
S -> C "."
S -> C ".."
C -> S "PASV"
S -> C "227 Entering..."

I know, this is against the RFC, but the SPF firewalls can misinterpret
the whole situation.

The time frame of the successful attack is very small, but maybe you can
try to close the send window of the server. Maybe it works, but this is just
theory.

Zoltan BORBELY
Previous By Date Next
Previous By Thread Next

Current thread: