Re: Extending the FTP "ALG" vulnerability to any FTP client

[mikael.olsson () ENTERNET SE (Mikael Olsson)]

Someone (off-list) wrote:
> I desparately want to run this test
> against my own site.

I don't have a ready-to-fly test for this; this is the main reason why
I released the theory of it as it stands. I'm hoping for one or a few
of our list members with more time on their hands to hack up a piece
of proof-of-concept code so that people start taking this seriously.

The way I see it, this is a big failing of the security community.
Nothing is really taken seriously until there's a readymade hack
that actually does damage (which, ofcourse, any script-kiddie can
use to wreak havoc against anyone).

> Also, if they can connect to port 139,
> what apps would be used from this port? As I said, denying has been much
> easier for me than understanding methodology.

As I said, it doesn't have to be port 139. It can be any port.
You may aswell regard any local workstation with a browser or HTML-
enabled mail reader to not be protected by a firewall at all, since
it can really be any port between 0 and 65535.

Unless, ofcourse, your firewall does full protocol analysis and state
tracking of the FTP protocol. Most don't.

/Mike

--
Mikael Olsson, EnterNet Sweden AB, Box 393, S-891 28 ÖRNSKÖLDSVIK
Phone: +46-(0)660-105 50           Fax: +46-(0)660-122 50
Mobile: +46-(0)70-248 00 33
WWW: http://www.enternet.se        E-mail: mikael.olsson () enternet se