Breaking through FTP ALGs -- is it possible?

[mikael.olsson () ENTERNET SE (Mikael Olsson)]

Hi all,

I've been having this idea for a while, but I've never gotten
around to testing it to see if it actually works.

The low-down of it is fooling a firewall into opening "a TCP port
of your choice" against an FTP server. Or, if you're running
an evil FTP server, having it open ports against clients accessing
the server.

There are several "flaws" and assumption in this idea, so it
is likely to NOT work with several FTP servers and firewalls.
On the other hand, it might work with some :-)

Now, for the idea:

Assume we're accessing an FTP server that is protected by a firewall
of some kind. The firewall is monitoring our command channel, port 21,
for "PASV" messages sent by the server. Upon receipt of such messages,
it will open a channel to the port number specified in the message.

Now, what if we'd be able to send fake "PASV" message to the server,
and have it echo them out through the firewall? We'd be able to
access arbitrary TCP ports on the FTP server. (23, 139, 6000? :-)

Breaking through a stateful inspection FTP ALG
----------------------------------------------

One if the ideas I'm having has to do with stateful inspection
firewalls. I'm thinking that most of them don't reassemble the
connection completely, but rather trust that the FTP server will
send the "PASV" message as the first string in a new packet -
this is usually what will happen?

What if we "get" a file called
AAAAAAA[about 100 A]AAAAPASV 123, 123, 123, 123, 0, 139
where "123, 123, 123, 123" is the public address of the FTP server.

It is somewhat likely that the FTP server will send us an error
message stating that this file name is illegal.

Now, WHAT if we were to decrease the TCP MSS in this connection
(easily done) to something like.... 100 bytes?

Wouldn't we be able to calculate just how many 'A's we'd have
to add to the beginning of the file name until the "PASV" command
becomes the first string in the packet following the error
message with all the 'A's ?

Wouldn't the firewall then obey our fake PASV command that the
server just echoed for us? Of course, you might get lots of
garbage after the echoed PASV command, like a trailing quote
and maybe bits and pieces of the error message. But that
might not matter, I think. (Assuming that the firewall
simply does something along the lines of sscanf() to get
the parameters after having found the "PASV" text in the
beginning of the packet).

This all assumes that the firewall isn't completely reassembling
the stream, but rather looking at the contents of individual
packets. This is why I haven't gotten around to testing my
idea; you'd have to try it on several different firewalls
and see if it has a chance of working.

Breaking through a "proxy" FTP ALG
----------------------------------

There's another case here, and that is where the firewall
completely reassembles the TCP stream before analyzing it.
Call it a "proxy", call it whatever.

This is a LOT harder, but it could maybe work with
some FTP servers?

You'd have to be able to coax the FTP server into sending
multiple lines (CRLF terminated) in order to have it
look like a real PASV command. You might also have to
mimic a legitimate GET request from the client before
having the firewall accept the PASV command from the
server.

As I said, this is nowhere near easy, but I trust
someone here will come up with an FTP server that
can be coaxed into doing this, and a way to fool
the firewall :-)

Breaking through to a client
----------------------------

This is not as feasible an attack. You'd have to
have an FTP server of your own, and make people
connect to it. (As if this can't be done by
mailing HTML mail to people containing an IMG SRC
pointing to an FTP location?)

Anyhow, applying all the theory above with
different types of firewall, it ought to be
possible to make the client echo bogus
"PORT" commands, which the firewall would
interpret and result in ports being opened
through the firewall.

This is nowhere near as likely as the server
cases above, I know. It is a lot more likely
that you might coax a server into echoing
things than fooling a client into echoing
things.

I'll also leave this idea in your capable
hands, people :-)

OH, by the way. Another thing about the server
cases above. If the firewall accepts any IP
address in the PASV command from the server,
not just the address of the FTP server itself,
you might be able to fool the firewall into
opening holes to pretty much any server and
port behind it. (Long shot, I know)

/Mike