Vulnerability Development mailing list archives
Re: FreeBSD listen()
From: 3APA3A () SECURITY NNOV RU (3APA3A)
Date: Fri, 29 Oct 1999 13:13:10 +0400
Hello David Schwartz, 29.10.1999 0:13, you wrote: FreeBSD listen(); D> It makes no sense at all to use the listen backlog as any sort of security D> mechanism. If you only wish to accept one connection, only call 'accept' D> once. accept() just allocates socket for connection that is already established and removes this connection from queue. It works just like getchar() works with keyboard input. Calling accept once doesn't assumes you that only one connection is established - like calling getchar() once doesn't assumes you that only one symbol is entered by user.
http://www.nai.com/nai_labs/asp_set/advisory/ftp-paper.asp
D> This is about authentication. It has nothing to do with the number of D> connections. This one about FTP vulnerabilities. I'm disagree with this paper in many things, but it shows how vulnerabilities can be exploited. I fond this problem by myself while testing my Windows NT FTP server behind firewall... And i wrote this program to test NT (it works just like DoS but doesn't let some data to be intersected) but i "discovered" it perfectly working against BSD. I was wondered and reported to bugtraq. Aleph One gave me NAI URL. Making some workaround about this problem i found some differences from NAI - the problem is strongly system depended, so it seems like OS weakness, not FTP protocol weakness and that BSD ftp client is vulnerable, inspire of NAI claims it doesn't. That's why i want to discuss this problem again.
and realized in exploit posted to Vuln-dev, see http://www.securityfocus.com/templates/archive.pike?list=82&date=1
D> 999-10-15&msg=9628.991015 () SECURITY NNOV RU D> This is about active versus passive FTP. It has nothing to do with listen D> backlogs or connection counts. It works in FreeBSD just because of this problem. D> DS "3APA3A" <WWW.SECURITY.NNOV.RU>
Current thread:
- Re: ICQ 2000, (continued)
- Re: ICQ 2000 Brad Griffin (Oct 26)
- icq2000 Brad Griffin (Oct 26)
- Re: ICQ 2000 Damm, Mike (Oct 26)
- Re: ICQ 2000 Brad Griffin (Oct 26)
- FreeBSD listen() 3APA3A (Oct 27)
- Re: FreeBSD listen() CyberPsychotic (Oct 27)
- Re: FreeBSD listen() 3APA3A (Oct 29)
- Re: FreeBSD listen() Matthew S. Hallacy (Oct 30)
- Fw: Trojan/Worm on one of your pages and spams ICQ users. BrainMaster (Oct 28)
- Re: FreeBSD listen() David Schwartz (Oct 28)
- Re: FreeBSD listen() 3APA3A (Oct 29)
- Re: FreeBSD listen() David Schwartz (Oct 30)
- Re: FreeBSD listen() 3APA3A (Oct 31)
- Re: FreeBSD listen() Sebastian (Oct 28)
- Re: FreeBSD listen() 3APA3A (Oct 29)
- Re: FreeBSD listen() Warren Young (Oct 28)
- Re: ICQ 2000 Bernie Cosell (Oct 27)
- Re: ICQ 2000 Ripple (Oct 26)
- Re: ICQ 2000 Sean Burford (Oct 26)
- stealth executables Brad Griffin (Oct 26)
- Re: stealth executables Adolfo Soto (Sep 30)