Firewall Wizards mailing list archives

Re: Variations of firewall ruleset bypass via FTP

From: Darren Reed <darrenr () reed wattle id au>
Date: Fri, 11 Oct 2002 11:14:14 +1000 (EST)

In some email I received from Mikael Olsson, sie wrote:
[...]

Second, Art Manion at CERT just reminded me of a couple of posts
from '2000 where I was talking about the STAT command, which 
made me come up with this server attack scenario:

Cli: MKD 227 Entering Passive Mode (1,2,3,4,5,6)
Srv: 200 ok
Cli: STAT 227 Entering Passive Mode (1,2,3,4,5,6)
Srv: 213-STAT
     -rw-rw-r--    1 1019     109       1123322 Sep  5 18:09 227 Entering
Passive Mode (1,2,3,4,5,6)
     213 End.
Cli: (does funky ACKing)
Srv: 227 Entering Passive Mode (1,2,3,4,5,6)
     213 End.

The "(1,2,3,4,5,6)" string is immediately followed by CRLF.
"213 End.\r\n" will normally follow in the same packet, but 
this can be suppressed through adjusting the receive window 
in said funky ACK, which would result in a plain
"227 Entering Passive Mode (1,2,3,4,5,6)\r\n" segment.

Getting such a clean string would bypass any amount of 
"string sanity" verification put in place.

I'm also wondering if there's a way of changing the "ls" field
output in some way (for some ftp daemons?). If so, we might even be
able to get "\r\n227 ... (...)\r\n" in a _properly reassembled_
stream. ..?


If you had access to the filestream, locally, you could have a file
named like this:

foo\r\n213 End.\r\n227 Entering Passive Mode (1,2,3,4,5,6)\r\n

This sort of thing may even trip up various application layer
proxies, too.

But if the attacker has got access to the local filesystem in order
to create that, then there is little a firewall of any sort is going
to be able to do to stop them.

That aside, my view on this is "funky ACKing" may be within the
bounds of legal TCP operation, but it's not what any "nornmal"
FTP client is going to do so throw those packets away.

Darren
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

Current thread:

Variations of firewall ruleset bypass via FTP Mikael Olsson (Oct 10)
- Re: Variations of firewall ruleset bypass via FTP Darren Reed (Oct 10)
- Re: Variations of firewall ruleset bypass via FTP Paul D. Robertson (Oct 10)
  - Re: Variations of firewall ruleset bypass via FTP Carson Gaspar (Oct 11)
  - Re: Variations of firewall ruleset bypass via FTP Mikael Olsson (Oct 11)
    - Re: Variations of firewall ruleset bypass via FTP Darren Reed (Oct 11)
    - Re: Variations of firewall ruleset bypass via FTP Mikael Olsson (Oct 11)
    - Re: Variations of firewall ruleset bypass via FTP Darren Reed (Oct 11)
    - Re: Variations of firewall ruleset bypass via FTP Darren Reed (Oct 11)
    - Re: Variations of firewall ruleset bypass via FTP Paul Robertson (Oct 11)
    - Re: Variations of firewall ruleset bypass via FTP Darren Reed (Oct 12)
    - Re: Variations of firewall ruleset bypass via FTP Paul D. Robertson (Oct 12)

(Thread continues...)