Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

SafeTP coughs up internal server IP addresses

From: "Jonathan G. Lampe" <jonathan () stdnet com>
Date: Fri, 27 Sep 2002 17:32:30 -0500
SafeTP is (was?) "a revolutionary new security application for Windows and UNIX users who use FTP (File Transfer Protocol) to connect to their accounts on UNIX or NT/2000 FTP servers."
Basically, SafeTP tunnels FTP control and data channels over a secure channel. (Similar to SSH, but it is a different protocol!) I'm sure not sure if anyone still supports it, but I know a couple people out there still run it.
The basic problem is that any SafeTP client can get the SafeTP server to cough up an internal IP address if passive mode transfers are required in a NAT environment. For example, check out the "227 Entering Passive Mode (10,7,34,85,5,133)" entry in the log below. (169.229.60.94 is the public/external IP address - 10.7.34.85 is the internal IP address.) 

D:\OSOmissions\snort\rules>ftps safetp.nowhere.com
220-SafeTP: Negotiating FTP connection...
220-safetp.nowhere.com X2 WS_FTP Server 3.1.0 (1506847632)
220-Changed to Protect the Innocent
220-safetp.nowhere.com X2 WS_FTP Server 3.1.0 (1506847632)
220-*** This server can accept secure (encrypted) connections. ***
220-*** See http://safetp.cs.berkeley.edu for info. ***
220 SafeTP: Control channel secure: X-SafeTP1. Data channel secure. PBSZ=32801b
Connected to safetp.nowhere.com.
User: SomeUser
331 Password required
Password: *********
230-user logged in
230-Hello Some User.  Welcome to the SafeTP File Transfer
 System!
230 user logged in
ftp> ls
200 PORT command ok.
Timed out waiting for connection from server.
ftp> passive
Passive mode  On .
ftp> ls
425 Failed to connect to 192.168.3.162, port 3303: connect: Connection timed out 
 (code 10060)
ftp> passive
Draining: 510 Assertion failed: ftpd reply: 150 Opening ASCII data connection fo 
r directory listing
Draining: 227 Entering Passive Mode (10,7,34,85,5,133).
Passive mode  Off .
ftp> put tendot.txt
227 Entering passive mode (169,229,60,94,156,186).
150 Opening ASCII data connection for tendot.txt
226 transfer complete
ftp: 1094 bytes sent in 0.98Seconds 1.09Kbytes/sec.
ftp> quit
221-Good-Bye
221-Goodbye Some User.  Thank you for visiting the SafeTP
 File Transfer System!
221 Good-Bye
I'm not 100% sure of this, but SafeTP is probably interpreting FTP commands as they go by (as do most NAT devices these days) and changing internal IPs into external IPs. (I think this occurs if you if invoke the server daemon with the "-i" flag?). It looks like if you can stack the message queues just right, you can get SafeTP to forget to do NAT. Although this bug appears to be mostly harmless, there may be applications for it more devious minds can figure out... 

* * * Vendor Notification:
I sent email messages to all the listed support contacts (Dan Bonachea - Windows software - bonachea () cs berkeley edu and Scott McPeak - UNIX software - smcpeak () cs berkeley edu), and asked another long-time user to do the same. Neither of us got any response after a few weeks. 

-jgl
Previous By Date Next
Previous By Thread Next

Current thread: