Bugtraq mailing list archives

Re: FTP DoS - PORT and PASV effected.

From: hno () HEM PASSAGEN SE (Henrik Nordstrom)
Date: Fri, 10 Dec 1999 00:49:24 +0100


Darren Reed wrote:

btw, a similar sort of attack can be mounted using the PORT command.
You just need to setup a local listener, etc, or get the ftp server
to try connect to lots of network 10 sites in < 75 seconds before
TCP connect's start timing out.  I'll leave that as an exercise for
the reader - a correct fix for the PASV problem should fix this one
as well (and the exploit is almost the same too).


I think the some development version of wu-ftpd is safe from the PORT
version of the attack. PORT (or default) data connection can only be
used once per transfer, and the some development versions of wu-ftpd
requires the client to close the data connection before it acknowledging
the transfer, thereby limiting the PORT version of the attack to once
per control connection. Most versions (i.e. the versions currently
commonly used) does not do this and can be exploited using PORT.

Thinking of it the PASV based attack can be stopped by similar (generic)
measures. Simply do NOT accept the establishment of a new data
connection unless the client has closed the previous connection. This
could be done in at least two ways without any noticeable impact on RFC
compliance:

a) When closing any existing data connection due to port specification
change, make sure the client also closes it's end of the connection
before continuing processing.

b) Do not accept the establishment of a new data connection until the
client has fully closed down any previous connection.

Of the two, alternative b is the one least likely to cause
interoperability problems with clients behaving badly. Both methods are
fully generic and not tied to any connection establishement method.

The FTP server should also clearly log (and close) any open data channel
on exit, to alert the administrator that there may be a problem.

Simply closing the control connection if a second PASV command is seen
is in my eyes not a good approach. While it may stop this particular DOS
it is very specific and can probably be fooled in one way or another. It
is also in violation of the spirit of RFC 959.

--
Henrik Nordstrom

Current thread:

Re: Big problem on linux 2.0, (continued)
- - - Re: Big problem on linux 2.0 visi0n (Dec 11)
    - Re: Big problem on linux 2.0 Andrea Arcangeli (Dec 14)
    - HP-UX: Security Vulnerability in wu-ftp Aleph One (Dec 13)
- From the SCO Security Page Alfred Huger (Dec 06)
- w00giving #8] Solaris 2.7's snoop Aleph One (Dec 06)
  - Re: w00giving #8] Solaris 2.7's snoop Shane A. Macaulay (Dec 09)
  - Clarification needed on the snoop vuln(s) Alfred Huger (Dec 09)
- FTP denial of service attack Darren Reed (Dec 07)
  - Re: FTP denial of service attack Renaud Deraison (Dec 07)
    - FTP DoS - PORT and PASV effected. Darren Reed (Dec 07)
    - Re: FTP DoS - PORT and PASV effected. Henrik Nordstrom (Dec 09)
  - Re: FTP denial of service attack antirez () INVECE ORG (Dec 07)
  - Re: FTP denial of service attack Dustin Miller (Dec 07)
    - Re: FTP denial of service attack Hugo.van.der.Kooij () CAIW NL (Dec 08)
    - Re: FTP denial of service attack Paulo Licio de Geus (Dec 09)
    - [Debian] New version of htdig released Aleph One (Dec 10)
    - Fundamental flaw in UnixWare 7 security Brock Tellier (Dec 10)
    - Solaris sadmind Buffer Overflow Vulnerability Alfred Huger (Dec 10)
  - Re: FTP denial of service attack bert hubert (Dec 07)
    - Re: FTP denial of service attack antirez () INVECE ORG (Dec 09)
  - Re: FTP denial of service attack Henrik Nordstrom (Dec 07)

(Thread continues...)