Re: FreeBSD listen()

[3APA3A () SECURITY NNOV RU (3APA3A)]

Hello CyberPsychotic,

28.10.1999 2:12, you wrote: FreeBSD listen();

C> ~ :This fact causes problems. Some application (for example ftp server in
C> ~ :passive mode or ftp client in active mode) use
C> ~ :listen(data, 1);
C> ~ :accept(data,...);
C> ~ :close(data);
C> ~ :to  limit  the  number of incoming data connections to exactly one. If
C> ~ :second  connection  is not rejected it makes possible attack to inject
C> ~ :or  intercept  data  between  server  and  client  as described in NAI
C> ~ :bulletin

C> That is a ftp daemon/client(depending whether it's an active or passive
C> mode), which should take care of accepting only single connection and only
C> from proper source (which is surprisely being ignored by some daemons,

Sorry,  but it seems you didn't catched the problem. May be my English
is  too  poor. The problem is that neither client no server has no way
to control number of connections, the only way they had is
C> ~ :listen(data, 1);
C> ~ :accept(data,...);
C> ~ :close(data);

Controlling IP address isn't right since it may cause the problem with
multihomed hosts.

C> such as ncftpd f.e.). However even ncftpd closes all the incoming
C> connections to the port once the first one has been accepted. Same goes

the  problem  is  that  between  listen()  and accept() accepting side
should  inform  other  side  which  port  to  use.  It takes some time
allowing  attack. All ftp clients/ftp servers (i guess) close incoming
port  after  accept().  But connection is established prior to accept,
accept   just   allocates   socket  for  connection  that  is  already
established and removes connection from "pending queue".

C> with my ftp client. (shipped r.h. 6.0). So I don't think there're any
C> security issues except syn-flooding, are involved here.

Just  try an exploit. Against 2.2.x it works perfectly. Run it against
any 2.2.x FTP server and try to connect it in passive mode.

3APA3A