Re: Variations of firewall ruleset bypass via FTP

[Mikael Olsson <mikael.olsson () clavister com>]

[Fair warning: somewhat inflammatory. Count backwards from 100.]

Darren Reed wrote:
> Sure [partial acknowledgement] can happen but how often does it really 
> happen ?  For the minor convienience of dropping whatever packets and 
> causing a full resend, I think I'm happy to discard partial segments.  
> Given this is only currently done for the FTP command channel (and 
> that's hardly a massive user of buffering), I'm not concerned.  If it 
> breaks 1 time in 100, but the other 99 are secured, that 1 off is a 
> sacrifice I'm willing to force.

Yes, I agree fully.  For the FTP command channel, this might be a 
reasonable bandaid that might stop this class of attacks. 

I was just saying that one shouldn't make that assumption about
TCP in general (as Paul was theorizing).


> Another addendum to add to this story, a quick check of some ftp
> daemons shows they will convert the response to (at least HELP)
> into uppercase. 

All the other commands _don't_ convert it. 

> So if I may reiterate what I said earlier, what the firewall does
> for data going from the ftp server is not isolated in this problem
> from what the ftp server does to the input.

This is absolutely true.

However, I believe I have shown that there is at least one way
of constructing strings that are completely resistant to any
amount of string scrubbing through using the FTP protocol alone.

And this doesn't even begin to touch other data channel protocols
that various firewalls may or may not support.


> I'm not in control of what version ships with NetBSD.  SEP.

I can't help but parsing all of this as "I don't care that previous 
versions were vulnerable.  I don't care that NetBSD is shipping a 
vulnerable version.  And I particularily don't give a flying f&ck 
that listing ipf as 'Not Vulnerable' means that there's no reason 
for distributors to rush out a new version.  It's all Someone 
Else's (the users') Problem."

No one said that exploiting this was trivial.  Buffer overruns and 
format string attacks aren't trivial either.  It's been a while since 
I heard "it's non-trivial, so we're not vulnerable", and I'd been 
hoping that I wouldn't have to hear it again.


Here, I've had to practice this myself on occasion:
"I screwed up. I'm only human; it happens. I'm sorry. 
 I've done my best to fix the problem: here's the upgrade."

Really, take my word for it, it sits a h*ll of a lot better 
with most people than "SEP". And, in the long run, it feels
a whole lot better too.


Sincerely,
Mikael Olsson

-- 
Mikael Olsson, Clavister AB
Storgatan 12, Box 393, SE-891 28 ÖRNSKÖLDSVIK, Sweden
Phone: +46 (0)660 29 92 00   Mobile: +46 (0)70 26 222 05
Fax: +46 (0)660 122 50       WWW: http://www.clavister.com

"Senex semper diu dormit"
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards