Bugtraq mailing list archives
Multiple firewalls: FTP Application Level Gateway "PASV" Vulnerability
From: mikael.olsson () ENTERNET SE (Mikael Olsson)
Date: Thu, 10 Feb 2000 11:23:14 +0100
Multiple firewalls: FTP Application Level Gateway "PASV" Vulnerability Synopsis -------- It is possible to cause certain firewalls to open up any TCP port of your choice against FTP servers that are "protected" by those firewalls. This is done by fooling the FTP server into echoing "227 PASV" commands out through the firewall. Known affected firewalls ------------------------ Firewall-1 v3 allows full communication on the opened port Firewall-1 v4 allows only inbound communication on the opened port NOTE: THIS IS LIKELY A PROBLEM WITH MANY FIREWALLS, DO NOT TAKE FOR GRANTED THAT YOUR FIREWALL IS SAFE JUST BECAUSE IT IS NOT LISTED HERE Background ---------- I've had this idea since late -98, but haven't gotten around to doing anything about it. Recently, I posted a "possible vulnerability" to vuln-dev () securityfocus com, outlining my ideas. This resulted in multiple responses from different people saying that they had experienced attacks like this. It would seem that I should have gone public with my concerns a lot sooner, rather than having people frown upon them in private. For my original, somewhat unstructed, thought process, entitled "Breaking through FTP ALGs -- is it possible?", see: 389FEB7B.AA290CC7 () enternet se">http://www.securityfocus.com/templates/archive.pike?list=82&date=2000-02-8&msg=389FEB7B.AA290CC7 () enternet se</A> For an immediate confirmation regarding FW-1 v3 and v4 from John McDonald, jm () dataprotect com, and a real-life attack, entitled "FireWall-1 FTP Server Vulnerability", see: 38A1B2D9.3B244FAB () dataprotect com">http://www.securityfocus.com/templates/archive.pike?list=82&date=2000-02-8&msg=38A1B2D9.3B244FAB () dataprotect com</A> [Note: URLs are most likely wrapped] This attack is most likely to work against stateful inspection firewalls protecting servers. It might also be possible to cause "proxy" like firewalls to open arbitrary ports to protected servers. In the extreme case, albeit a tad unlikely, it may be possible to cause any type of firewall to open arbitrary ports against FTP clients. Take care, all -- Mikael Olsson, EnterNet Sweden AB, Box 393, S-891 28 ÖRNSKÖLDSVIK Phone: +46 (0)660 105 50 Fax: +46 (0)660 122 50 Mobile: +46 (0)70 248 00 33 WWW: http://www.enternet.se E-mail: mikael.olsson () enternet se
Current thread:
- Re: RFP2K01 - "How I hacked Packetstorm" (wwwthreads advisory), (continued)
- Re: RFP2K01 - "How I hacked Packetstorm" (wwwthreads advisory) van der Meulen, Robert (Feb 05)
- DBI bind values [was Re: RFP2K01 - "How I hacked Packetstorm" (wwwthreads advisory)] Kelly.Setzer () INGRAMENTERTAINMENT COM (Feb 07)
- Debian (frozen): Perms on /usr/lib/libguile.so.6.0.0 Jamie Fifield (Feb 05)
- Re: Debian (frozen): Perms on /usr/lib/libguile.so.6.0.0 Torsten Landschoff (Feb 08)
- Re: RFP2K01 - "How I hacked Packetstorm" (wwwthreads advisory) rain forest puppy (Feb 08)
- Re: RFP2K01 - "How I hacked Packetstorm" (wwwthreads advisory) Smith, Eric V. (Feb 09)
- Re: RFP2K01 - "How I hacked Packetstorm" (wwwthreads advisory) W. Craig Trader (Feb 09)
- FireWall-1 FTP Server Vulnerability John McDonald (Feb 09)
- ASP Security Hole (fwd) bgreenbaum () SECURITYFOCUS COM (Feb 09)
- Re: ASP Security Hole (fwd) Rob Systhine (Feb 10)
- Multiple firewalls: FTP Application Level Gateway "PASV" Vulnerability Mikael Olsson (Feb 10)
- NT Service Pack requirements (Bell Atlantic DSL) Bob Kline (Feb 10)
- Re: NT Service Pack requirements (Bell Atlantic DSL) Jonathan M. Bresler (Feb 11)
- Re: RFP2K01 - "How I hacked Packetstorm" (wwwthreads advisory) van der Meulen, Robert (Feb 05)