Re: FreeBSD listen()

[3APA3A () SECURITY NNOV RU (3APA3A)]

Hello David Schwartz,

29.10.1999 0:13, you wrote: FreeBSD listen();

D>         It makes no sense at all to use the listen backlog as any sort of security
D> mechanism. If you only wish to accept one connection, only call 'accept'
D> once.

accept()   just  allocates  socket  for  connection  that  is  already
established and removes this connection from queue. It works just like
getchar()  works  with  keyboard  input.  Calling  accept once doesn't
assumes  you  that  only  one connection is established - like calling
getchar()  once doesn't assumes you that only one symbol is entered by
user.

> > http://www.nai.com/nai_labs/asp_set/advisory/ftp-paper.asp

D>         This is about authentication. It has nothing to do with the number of
D> connections.

This  one  about  FTP vulnerabilities. I'm disagree with this paper in
many things, but it shows how vulnerabilities can be exploited. I fond
this  problem  by myself while testing my Windows NT FTP server behind
firewall...  And  i  wrote this program to test NT (it works just like
DoS but doesn't let some data to be intersected) but i "discovered" it
perfectly working against BSD. I was wondered and reported to bugtraq.
Aleph One gave me NAI URL. Making some workaround about this problem i
found  some  differences  from  NAI  -  the problem is strongly system
depended,  so it seems like OS weakness, not FTP protocol weakness and
that  BSD  ftp client is vulnerable, inspire of NAI claims it doesn't.
That's why i want to discuss this problem again.

> > and realized in exploit posted to Vuln-dev, see
> >
> > http://www.securityfocus.com/templates/archive.pike?list=82&date=1
D> 999-10-15&msg=9628.991015 () SECURITY NNOV RU

D>         This is about active versus passive FTP. It has nothing to do with listen
D> backlogs or connection counts.

It works in FreeBSD just because of this problem.

D>         DS

"3APA3A" <WWW.SECURITY.NNOV.RU>