Firewall Wizards mailing list archives
Re: Variations of firewall ruleset bypass via FTP
From: Darren Reed <darrenr () reed wattle id au>
Date: Fri, 11 Oct 2002 11:14:14 +1000 (EST)
In some email I received from Mikael Olsson, sie wrote: [...]
Second, Art Manion at CERT just reminded me of a couple of posts from '2000 where I was talking about the STAT command, which made me come up with this server attack scenario: Cli: MKD 227 Entering Passive Mode (1,2,3,4,5,6) Srv: 200 ok Cli: STAT 227 Entering Passive Mode (1,2,3,4,5,6) Srv: 213-STAT -rw-rw-r-- 1 1019 109 1123322 Sep 5 18:09 227 Entering Passive Mode (1,2,3,4,5,6) 213 End. Cli: (does funky ACKing) Srv: 227 Entering Passive Mode (1,2,3,4,5,6) 213 End. The "(1,2,3,4,5,6)" string is immediately followed by CRLF. "213 End.\r\n" will normally follow in the same packet, but this can be suppressed through adjusting the receive window in said funky ACK, which would result in a plain "227 Entering Passive Mode (1,2,3,4,5,6)\r\n" segment. Getting such a clean string would bypass any amount of "string sanity" verification put in place. I'm also wondering if there's a way of changing the "ls" field output in some way (for some ftp daemons?). If so, we might even be able to get "\r\n227 ... (...)\r\n" in a _properly reassembled_ stream. ..?
If you had access to the filestream, locally, you could have a file named like this: foo\r\n213 End.\r\n227 Entering Passive Mode (1,2,3,4,5,6)\r\n This sort of thing may even trip up various application layer proxies, too. But if the attacker has got access to the local filesystem in order to create that, then there is little a firewall of any sort is going to be able to do to stop them. That aside, my view on this is "funky ACKing" may be within the bounds of legal TCP operation, but it's not what any "nornmal" FTP client is going to do so throw those packets away. Darren _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Variations of firewall ruleset bypass via FTP Mikael Olsson (Oct 10)
- Re: Variations of firewall ruleset bypass via FTP Darren Reed (Oct 10)
- Re: Variations of firewall ruleset bypass via FTP Paul D. Robertson (Oct 10)
- Re: Variations of firewall ruleset bypass via FTP Carson Gaspar (Oct 11)
- Re: Variations of firewall ruleset bypass via FTP Mikael Olsson (Oct 11)
- Re: Variations of firewall ruleset bypass via FTP Darren Reed (Oct 11)
- Re: Variations of firewall ruleset bypass via FTP Mikael Olsson (Oct 11)
- Re: Variations of firewall ruleset bypass via FTP Darren Reed (Oct 11)
- Re: Variations of firewall ruleset bypass via FTP Darren Reed (Oct 11)
- Re: Variations of firewall ruleset bypass via FTP Paul Robertson (Oct 11)
- Re: Variations of firewall ruleset bypass via FTP Darren Reed (Oct 12)
- Re: Variations of firewall ruleset bypass via FTP Paul D. Robertson (Oct 12)