Re: Exploiting any network protocol with secondary data channelsopened from the server

[BlueBoar () THIEVCO COM (Blue Boar)]

Mikael Olsson wrote:
> Darren Reed <avalon () COOMBS ANU EDU AU> recently wrote something
> regarding all the fuss about the FTP data channel vulnerabilities,
> that gave me the creeps:
> > I don't need to use a bad hyperlink in HTML to do the above, I can
> > equally use Java.
>
> Which is extremely vile, since there is NO WAY that any type firewall
> can differentiate a Java-driven FTP session from a "normal" FTP
> session. The fix for FTP is to simply disallow all active FTP,
> but what about protocols that do not support "passive" modes?
>
> Anyone care to go dig up some protocols which open secondary data
> channels from the server to the client, and then write a java
> component that emulates an outbound client command session that
> fools firewalls into opening dangerous data connections?

Damn that's evil.  That would fool every firewall on the market that
supports FTP.  I love it.

Many firewalls don't allow PORT commands to be issued for ports under
1024 (recent Firewall-1 versions, for example), but that still leaves
plenty of room for fun on a lot of boxes.  Some DO allow arbitrary
ports (see my posts about Cisco NAT early in the list archives.)

I don't suppose Sandboxed Java Applets have any legal way to detemine
which ports are open on the machine they're running on, do they?

Someone care to put up a demo of such a beast on a webserver they
aren't worried about getting pulled off the net?  I bet a cute
hack with a simple Java applet, and some Samba scripting could be
pretty effective.

                                        BB