Vulnerability Development mailing list archives
Re: Exploiting any network protocol with secondary data channelsopened from the server
From: BlueBoar () THIEVCO COM (Blue Boar)
Date: Sat, 18 Mar 2000 22:30:39 -0800
Mikael Olsson wrote:
Darren Reed <avalon () COOMBS ANU EDU AU> recently wrote something regarding all the fuss about the FTP data channel vulnerabilities, that gave me the creeps:I don't need to use a bad hyperlink in HTML to do the above, I can equally use Java.Which is extremely vile, since there is NO WAY that any type firewall can differentiate a Java-driven FTP session from a "normal" FTP session. The fix for FTP is to simply disallow all active FTP, but what about protocols that do not support "passive" modes? Anyone care to go dig up some protocols which open secondary data channels from the server to the client, and then write a java component that emulates an outbound client command session that fools firewalls into opening dangerous data connections?
Damn that's evil. That would fool every firewall on the market that supports FTP. I love it. Many firewalls don't allow PORT commands to be issued for ports under 1024 (recent Firewall-1 versions, for example), but that still leaves plenty of room for fun on a lot of boxes. Some DO allow arbitrary ports (see my posts about Cisco NAT early in the list archives.) I don't suppose Sandboxed Java Applets have any legal way to detemine which ports are open on the machine they're running on, do they? Someone care to put up a demo of such a beast on a webserver they aren't worried about getting pulled off the net? I bet a cute hack with a simple Java applet, and some Samba scripting could be pretty effective. BB
Current thread:
- Exploiting any network protocol with secondary data channels opened from the server Mikael Olsson (Mar 17)
- Re: Exploiting any network protocol with secondary data channelsopened from the server Blue Boar (Mar 18)
- Re: Exploiting any network protocol with secondary datachannelsopened from the server Mikael Olsson (Mar 19)
- Re: Exploiting any network protocol with secondary datachannelsopened from the server Mr. Pink (Mar 19)
- Re: Exploiting any network protocol with secondary datachannelsopened from the server Ralf-Philipp Weinmann (Mar 19)
- Re: Exploiting any network protocol with secondarydatachannelsopened from the server H D Moore (Mar 19)
- Re: Exploiting any network protocol with secondarydatachannelsopened from the server Ralf-Philipp Weinmann (Mar 20)
- Re: Exploiting any network protocol with secondary datachannelsopened from the server Mikael Olsson (Mar 19)
- Re: Exploiting any network protocol with secondary data channelsopened from the server Blue Boar (Mar 18)
- Buffer overflow in AIM 3.5.1856 Joe Testa (Mar 19)