Bugtraq mailing list archives
Re: FireWall-1 FTP Server Vulnerability
From: mikael.olsson () ENTERNET SE (Mikael Olsson)
Date: Fri, 18 Feb 2000 05:24:26 +0100
Henrik Nordstrom wrote:
A in my opinion better approach would be to * require that the 227 (PASV) reply is the one and only line present in the packet
Attackers can accomplished this by setting the TCP MSS to the right size.
* that this packet properly ends with a newline
No problem in the case of the STAT command
* that this packet is not oversized for being a 227 reply
Shuoldn't be a problem
* and that the TCP byte immediately in front of the response code is a newline, not a space or anything else. Not sure if this is possible in the FW1 filter engine. Also, this won't help in the case of buggy wuftpd.
No problem in the case of the STAT command
* The firewall should also obviously only listen for a 227 reply if a PASV command has been sent. Any 227 replies received outside this context is an protocol violation and should be handled as such.
I think you can accomplish this by actually sending a PASV command after the GET / STAT command. However, I don't know how the firewall will interpret the second "227" message. Possibly by killing the fake channel and opening the real one instead :-( However, what if you send the fake PASV command in a packet with a sequence number that has already been used? Such a packet should be happily ignored by the server, but the firewall would probably listen to it. Hmmm :) The only solution that even begins to look "good" is to completely reassemble the TCP stream and not make "educated" guesses about what packet data belongs on what line and in which order and state of the FTP protocol. It doesn't have to be a "proxy" in order to do this, I think. You DO need to reassemble the stream completely though. Just my $.02 /Mike -- Mikael Olsson, EnterNet Sweden AB, Box 393, S-891 28 ÖRNSKÖLDSVIK Phone: +46-(0)660-105 50 Fax: +46-(0)660-122 50 Mobile: +46-(0)70-248 00 33 WWW: http://www.enternet.se E-mail: mikael.olsson () enternet se
Current thread:
- Re: FireWall-1 FTP Server Vulnerability Lars.Troen () MERKANTILDATA NO (Feb 12)
- Re: FireWall-1 FTP Server Vulnerability Alexandru Popa (Feb 14)
- Re: FireWall-1 FTP Server Vulnerability monti (Feb 14)
- Re: FireWall-1 FTP Server Vulnerability Henrik Nordstrom (Feb 15)
- DDoS whitepaper Bennett Todd (Feb 17)
- Re: FireWall-1 FTP Server Vulnerability Mikael Olsson (Feb 17)
- Re: FireWall-1 FTP Server Vulnerability Emiliano Kargieman (Feb 18)
- Patch Available for "Site Wizard Input Validation" Vulnerability Microsoft Product Security (Feb 18)
- Re: FireWall-1 FTP Server Vulnerability Dug Song (Feb 18)
- Re: FireWall-1 FTP Server Vulnerability Henrik Nordstrom (Feb 15)
- Re: FireWall-1 FTP Server Vulnerability Borbely Zoltan (Feb 15)
- Re: FireWall-1 FTP Server Vulnerability monti (Feb 17)
- Re: FireWall-1 FTP Server Vulnerability Peter Benie (Feb 16)
- Re: FireWall-1 FTP Server Vulnerability Nick FitzGerald (Feb 17)
- ANN: Bruce 1.0ea2: Networked Host-Vulnerability Scanner for Solaris & Linux Alec Muffett (Feb 17)
- <Possible follow-ups>
- Re: FireWall-1 FTP Server Vulnerability der Mouse (Feb 17)
- Re: FireWall-1 FTP Server Vulnerability chess () US IBM COM (Feb 18)