Bugtraq mailing list archives
Re: Extending the FTP "ALG" vulnerability to any FTP client
From: mikael.olsson () ENTERNET SE (Mikael Olsson)
Date: Sun, 12 Mar 2000 01:31:08 +0100
Mitchell Blank Jr wrote:
It would be nice if the browsers had a "disallow FTP to non- standard ports" checkbox.
Yup. Same thing for HTTP actually, since content analyzing filters and the like might only be analyzing port 80 and not port 8080 or whatever.
src="ftp://ftp.rooted.com/aaaaaaa%0a%0dPORT 1,2,3,4,0,139"Actually, on some firewalls you might be able to skip all the aaaaaaa's then, since PORT is now legitamately another command.
True. Anything that reassembles the command stream completely would be fooled by just the %0a%0d combination; no need to fool around with packet boundaries.
This WILL work in a browserThen that browser has a bug that needs to be fixed.
Yup.
You might want to check if the (unspecified) browser has similar bugs in other protocols.
Sorry for not specifying what browser I'm using. This was tested on Netscape v4.7. Preliminary reports indicate that the %0d%0a variant of this attack does not work on MSIE4/5 since it (correctly) strips such characters for FTP. <un-called-for ms bashing> Sorry for not having tested the %0a%0d variant on other browsers; I just refuse to install MSIE. The thought of suddenly having desktop apps (word processor etc) that can't differentiate between local files and web stuff isn't all too appealing to me. </un-called-for ms bashing> Note to everyone: This does not mean that you're automatically safe if you're using MSIE. It depends on your firewall. I'd say that chances are fairly high that your browser of choice won't really make a difference in 95% of the cases; the firewall is the key. -- Mikael Olsson, EnterNet Sweden AB, Box 393, S-891 28 ÖRNSKÖLDSVIK Phone: +46-(0)660-105 50 Fax: +46-(0)660-122 50 Mobile: +46-(0)70-66 77 636 WWW: http://www.enternet.se E-mail: mikael.olsson () enternet se
Current thread:
- Extending the FTP "ALG" vulnerability to any FTP client Mikael Olsson (Mar 10)
- Re: Extending the FTP "ALG" vulnerability to any FTP client Mitchell Blank Jr (Mar 11)
- Re: Extending the FTP "ALG" vulnerability to any FTP client Mikael Olsson (Mar 11)
- Re: Extending the FTP "ALG" vulnerability to any FTP client Darren Reed (Mar 14)
- Microsoft Security Bulletin (MS00-017) Microsoft Product Security (Mar 16)
- Cisco Security Notice: Cisco Secure PIX Firewall FTP Vulnerabilities security-alert () CISCO COM (Mar 16)
- Microsoft Security Bulletin (MS00-016) Microsoft Product Security (Mar 17)
- Re: Extending the FTP "ALG" vulnerability to any FTP client Solar Designer (Mar 11)
- <Possible follow-ups>
- Re: Extending the FTP "ALG" vulnerability to any FTP client Dug Song (Mar 11)
- Re: Extending the FTP "ALG" vulnerability to any FTP client Mitchell Blank Jr (Mar 11)