Vulnerability Development mailing list archives
Exploiting any network protocol with secondary data channels opened from the server
From: mikael.olsson () ENTERNET SE (Mikael Olsson)
Date: Fri, 17 Mar 2000 10:45:46 +0100
Darren Reed <avalon () COOMBS ANU EDU AU> recently wrote something regarding all the fuss about the FTP data channel vulnerabilities, that gave me the creeps:
I don't need to use a bad hyperlink in HTML to do the above, I can equally use Java.
Which is extremely vile, since there is NO WAY that any type firewall can differentiate a Java-driven FTP session from a "normal" FTP session. The fix for FTP is to simply disallow all active FTP, but what about protocols that do not support "passive" modes? Anyone care to go dig up some protocols which open secondary data channels from the server to the client, and then write a java component that emulates an outbound client command session that fools firewalls into opening dangerous data connections? Basic idea would be something like this: * Make client connect to www.rooted.com somehow (there are lots of ways) * Have client download a java applet (which ~99% of all browsers will do automagically) * Have the java applet connect to www.rooted.com (this is allowed by the java spec) on a specific port (21 in the case of FTP) * Send a perfectly legal command stream which makes the firewall think that the client wants to accept a connection from www.rooted.com to some exploitable port number (which we know there are lots of). The exact methology here is ofcourse protocol dependant. The way I see it, the long term fix is to abolish all protocols that open secondary data channels from server to client. One could argue that one can also fix it by abolishing java, but I don't really agree, as I have a feeling that lots of other things can be abused to accomplish pretty much the same thing. The real challenge however is to get app developers to realize that they can't open connections from servers to clients any more. Ack.:-P -- Mikael Olsson, EnterNet Sweden AB, Box 393, S-891 28 ÖRNSKÖLDSVIK Phone: +46 (0)660 105 50 Fax: +46 (0)660 122 50 Mobile: +46 (0)70 66 77 636 WWW: http://www.enternet.se E-mail: mikael.olsson () enternet se
Current thread:
- Exploiting any network protocol with secondary data channels opened from the server Mikael Olsson (Mar 17)
- Re: Exploiting any network protocol with secondary data channelsopened from the server Blue Boar (Mar 18)
- Re: Exploiting any network protocol with secondary datachannelsopened from the server Mikael Olsson (Mar 19)
- Re: Exploiting any network protocol with secondary datachannelsopened from the server Mr. Pink (Mar 19)
- Re: Exploiting any network protocol with secondary datachannelsopened from the server Ralf-Philipp Weinmann (Mar 19)
- Re: Exploiting any network protocol with secondarydatachannelsopened from the server H D Moore (Mar 19)
- Re: Exploiting any network protocol with secondarydatachannelsopened from the server Ralf-Philipp Weinmann (Mar 20)
- Re: Exploiting any network protocol with secondary datachannelsopened from the server Mikael Olsson (Mar 19)
- Re: Exploiting any network protocol with secondary data channelsopened from the server Blue Boar (Mar 18)
- Buffer overflow in AIM 3.5.1856 Joe Testa (Mar 19)