Bugtraq mailing list archives

Re: ftpd: the advisory version

From: monti () USHOST COM (monti)
Date: Fri, 7 Jul 2000 17:26:36 -0500


On Thu, 6 Jul 2000, D. J. Bernstein wrote:

monti writes:

*allowing* other than src-20 active data connections through a firewall,


Why are you allowing PORT-style FTP through your firewall? See RFC 1579.
Can I scan port 6000 on your hosts if I set my source port to 20?


I'm not. And I have seen the RFC. (i've also scanned through many a
'firewall' using src 20 as well)

What I was referring to was firewalls that attempt to do a dynamic port
allocation for the return (src 20) data connection in active FTP. I'm not
saying I trust this behavior, but ofcourse the *idea* is to avoid having
a blanket allow rule for src 20 -> dst >1024 accept. And the idea is
better (disclaimer: I know all about the recent ickyness in *how* many
firewalls do this too -- see my PIX PASV bug writeup on bugtraq). This is
academic anyway, since most commercial firewalls are all hard coded to do
this in one way or another.

I agree completely though:
it's very very bad to use a normal packet filter for non-PASV ftp, and
even if you dont it's not all peaches since the
stateful-inspection/application-proxy may have a really stupid way of
"dynamically adjusting". I personally chock it all up in the
"FTP SUX LLAMA" category and try not to think too much about it.

Netscape uses PASV. The OpenBSD ftp client uses PASV. The Linux ftp
client uses PASV if you give it the -p option. Internet Explorer uses
PASV. What makes you think that requiring PASV will noticeably increase
the level of user annoyance at your firewall?


I dont... however my users/clients are usually avid users of arcane OS's
without PASV ftp clients. When possible, ofcourse this is the better
solution, but it isnt always feasible nor for that matter possible. Some
of the clients that do *not* support PASV ftp: sunos/solaris cmdline,
windows* commandline client, AIX cmdline client (last i checked), same for
HP-UX and most other commercial Ux's except perhaps for only very recent
versions, to name a few. You'd be disgusted at what an 'expect' script can
be stupid enough to do with ftp :)

Dont get me started on all the older (and even recent!) FTP servers out
there that cant PASV either...

I'd say it's a fair assumption that *most* people are reliant heavily on
their firewalls capabilities (or bugs) for port-style ftp whether they
realize they are there or not. Doesnt even IPF now include a kernel-based
ftp proxy (maybe I'm confusing this with something else). Does it support
port-style ftp handling? (I've been meaning to check this new feature out,
but havent gotten around to it)

-eric

Current thread:

Re: ftpd: the advisory version Valdis Kletnieks (Jun 30)
- Re: ftpd: the advisory version Tom Perrine (Jul 02)
- Conclusion to recent working WuFTPD Exploits Eric Hines (Jul 05)
- <Possible follow-ups>
- Re: ftpd: the advisory version Carson Gaspar (Jun 30)
  - Re: ftpd: the advisory version Mike Gleason (Jul 02)
  - [RHSA-2000:016-03] Multiple local imwheel vulnerabilities bugzilla () REDHAT COM (Jul 03)
  - Re: ftpd: the advisory version monti (Jul 05)
    - Re: ftpd: the advisory version D. J. Bernstein (Jul 06)
    - Re: ftpd: the advisory version monti (Jul 07)
    - Re: ftpd: the advisory version Mikael Olsson (Jul 07)
    - Re: ftpd: the advisory version David Maxwell (Jul 07)
    - Re: ftpd: the advisory version D. J. Bernstein (Jul 10)
    - Re: ftpd: the advisory version Richard Rager (Jul 11)
    - Infosec.20000712.worldclient.2.1 Rikard Carlsson (Jul 12)
    - ANNOUNCE Apache::ASP v1.95 - Security Hole Fixed J C (Jul 10)
    - Novell Border Manger - Anyone can pose as an authenticated user Coward, Anonymous (Jul 07)
  - [RHSA-2000:042-01] BitchX denial of service vulnerability bugzilla () REDHAT COM (Jul 06)
- Re: ftpd: the advisory version Taneli Huuskonen (Jul 01)
- Re: ftpd: the advisory version D. J. Bernstein (Jul 01)

(Thread continues...)