Re: Extending the FTP "ALG" vulnerability to any FTP client

[mikael.olsson () ENTERNET SE (Mikael Olsson)]

Mitchell Blank Jr wrote:
> It would be nice if the browsers had a "disallow FTP to non-
> standard ports" checkbox.

Yup. Same thing for HTTP actually, since content analyzing filters
and the like might only be analyzing port 80 and not port 8080
or whatever.

> >   src="ftp://ftp.rooted.com/aaaaaaa%0a%0dPORT 1,2,3,4,0,139"
>
> Actually, on some firewalls you might be able to skip
> all the aaaaaaa's then, since PORT is now legitamately another
> command.

True. Anything that reassembles the command stream completely
would be fooled by just the %0a%0d combination; no need
to fool around with packet boundaries.

> >   This WILL work in a browser
>
> Then that browser has a bug that needs to be fixed.

Yup.

> You might want to check if the (unspecified) browser has
> similar bugs in other protocols.

Sorry for not specifying what browser I'm using.
This was tested on Netscape v4.7.

Preliminary reports indicate that the %0d%0a variant
of this attack does not work on MSIE4/5 since it (correctly)
strips such characters for FTP.

<un-called-for ms bashing>
Sorry for not having tested the %0a%0d variant on other browsers;
I just refuse to install MSIE. The thought of suddenly having
desktop apps (word processor etc) that can't differentiate between
local files and web stuff isn't all too appealing to me.
</un-called-for ms bashing>

Note to everyone: This does not mean that you're automatically safe
if you're using MSIE. It depends on your firewall. I'd say that
chances are fairly high that your browser of choice won't really
make a difference in 95% of the cases; the firewall is the key.


--
Mikael Olsson, EnterNet Sweden AB, Box 393, S-891 28 ÖRNSKÖLDSVIK
Phone: +46-(0)660-105 50           Fax: +46-(0)660-122 50
Mobile: +46-(0)70-66 77 636
WWW: http://www.enternet.se        E-mail: mikael.olsson () enternet se