Vulnerability Development mailing list archives
Re: FreeBSD listen()
From: 3APA3A () SECURITY NNOV RU (3APA3A)
Date: Fri, 29 Oct 1999 12:45:27 +0400
Hello CyberPsychotic, 28.10.1999 2:12, you wrote: FreeBSD listen(); C> ~ :This fact causes problems. Some application (for example ftp server in C> ~ :passive mode or ftp client in active mode) use C> ~ :listen(data, 1); C> ~ :accept(data,...); C> ~ :close(data); C> ~ :to limit the number of incoming data connections to exactly one. If C> ~ :second connection is not rejected it makes possible attack to inject C> ~ :or intercept data between server and client as described in NAI C> ~ :bulletin C> That is a ftp daemon/client(depending whether it's an active or passive C> mode), which should take care of accepting only single connection and only C> from proper source (which is surprisely being ignored by some daemons, Sorry, but it seems you didn't catched the problem. May be my English is too poor. The problem is that neither client no server has no way to control number of connections, the only way they had is C> ~ :listen(data, 1); C> ~ :accept(data,...); C> ~ :close(data); Controlling IP address isn't right since it may cause the problem with multihomed hosts. C> such as ncftpd f.e.). However even ncftpd closes all the incoming C> connections to the port once the first one has been accepted. Same goes the problem is that between listen() and accept() accepting side should inform other side which port to use. It takes some time allowing attack. All ftp clients/ftp servers (i guess) close incoming port after accept(). But connection is established prior to accept, accept just allocates socket for connection that is already established and removes connection from "pending queue". C> with my ftp client. (shipped r.h. 6.0). So I don't think there're any C> security issues except syn-flooding, are involved here. Just try an exploit. Against 2.2.x it works perfectly. Run it against any 2.2.x FTP server and try to connect it in passive mode. 3APA3A
Current thread:
- Re: forged packets?, (continued)
- Re: forged packets? ctor (Oct 25)
- ICQ 2000 Elias Levy (Oct 25)
- Re: ICQ 2000 Blue Boar (Oct 25)
- Re: ICQ 2000 Sean Burford (Oct 25)
- Re: ICQ 2000 Brad Griffin (Oct 26)
- Re: ICQ 2000 Blue Boar (Oct 25)
- icq2000 Brad Griffin (Oct 26)
- Re: ICQ 2000 Damm, Mike (Oct 26)
- Re: ICQ 2000 Brad Griffin (Oct 26)
- FreeBSD listen() 3APA3A (Oct 27)
- Re: FreeBSD listen() CyberPsychotic (Oct 27)
- Re: FreeBSD listen() 3APA3A (Oct 29)
- Re: FreeBSD listen() Matthew S. Hallacy (Oct 30)
- Fw: Trojan/Worm on one of your pages and spams ICQ users. BrainMaster (Oct 28)
- Re: FreeBSD listen() David Schwartz (Oct 28)
- Re: FreeBSD listen() 3APA3A (Oct 29)
- Re: FreeBSD listen() David Schwartz (Oct 30)
- Re: FreeBSD listen() 3APA3A (Oct 31)
- Re: FreeBSD listen() Sebastian (Oct 28)
- Re: FreeBSD listen() 3APA3A (Oct 29)
- Re: FreeBSD listen() Warren Young (Oct 28)
- Re: ICQ 2000 Bernie Cosell (Oct 27)