Vulnerability Development mailing list archives
Re: ws_ftp pro 6.51 exposes internal IP addresses
From: Iván Arce <core.lists.exploit-dev () CORE-SDI COM>
Date: Thu, 3 Aug 2000 02:09:12 -0300
OK, this is something i didnt have enough time to finish researching but since its being discussed i think ill attempt to explain my theory on why it happends... A good starting reference would be the published bug reports for FW-1 and Cisco PIX regarding the usage of FTP control channel information to open holes in the firewall by exploiting problems in the stateful inspection mechanism. Look at the bugtraq archives and vuln db for this. Also, dugsong, Thomas Lopatic and John MacDonald did and excellent presentation on FW-1 problems and the FTP PASV topic was discussed and exploited at BlackHat last week. Now i will guess that what you are describing is a similar problem in the NAT code, that fails to rewrite the internal address of the FTP server with the external (publicly known) IP of same. This can happend if the connecting client advertises a MSS that makes the server fragment the packets going back to the client in a way such that the NAT code fails to detect it as a response to a PASV command. Apparently ws_ftp is doing so and other ftp clients just dont bother to change the MSS or provide a big enough one to avoid the problem. 230 User xxxxx logged in. PWD 257 "/" is current directory. Host type (I): Microsoft NT PORT 209,74,14,36,6,60 200 PORT command successful. LIST 150 Opening ASCII mode data connection for /bin/ls. ! Accept error: Blocking call cancelled ! Retrieve of folder listing failed (0) QUIT 425 Can't open data connection. - - connecting to 216.37.xx.xx:2100 Connected to 216.37.xx.xx port 2100 220 saranac Microsoft FTP Service (Version 5.0). USER xxx 331 Password required for xxxx. PASS (hidden) 230-======================================== <snip> 230- 230- 230 User xxxx logged in. PWD 257 "/" is current directory. Host type (I): Microsoft NT PASV 227 Entering Passive Mode (192,168,1,5,6,184). connecting to 192.168.1.5:1720 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ The fact that this is visible on the client side implies that the NAT code didnt rewrite the address. A *VERY* quick look at OpenBSD's nat code points to sys/netinet/ip_ftp_pxy.c as the probable offender. And im stating this because you said that the problem does not appear with other FTP clients, that makes me think that you are in fact using address rewritting in the FTP control channel. *IF* the above probes right, the issue is not a ws_ftp client problem, its an ipnat problem and other NAT implementations are likely to have this problem. And, as a side note, i'd like to point out that this brings in a more 'philosophycal' discussion: NAT is not a security enhancing feature and you should not rely on your addresses being hidden for any security scheme you conceive. -ivan Crawling KingSnake wrote:
How so is this an administrative issue? ws_ftp is the only one that does this. Other clients connect successfully using PASV mode. Maybe you should reread the statement and not be so quick to jump on the "administrator at fault" excuse. The server does not have the bounce attack enabled but the client must use PASV to connect because of the firewall. Those are two different issues. Please try to understand the situation before responding since these responses prove wasteful. On Mon, Jul 31, 2000 at 09:07:13AM -0400, Crawling KingSnake wrote:ws_ftp pro 6.51 exposes internal IP addresses when connecting using PASV<snip>Vendor was notified but no response.what is the vendor supposed to do? This is an administration issue. If you are protecting your network via a firewall, and you intend to hide all aspects of your network hierarchy, then you'll want to disable passive ftp. Unless ws_ftpd is not capable of disabling passive ftp, this doesnt sound like a vendor issue. <ss> ______________________________________________ FREE Personalized Email at Mail.com Sign up at http://www.mail.com/?sr=signup
-- "Understanding. A cerebral secretion that enables one having it to know a house from a horse by the roof on the house, It's nature and laws have been exhaustively expounded by Locke, who rode a house, and Kant, who lived in a horse." - Ambrose Bierce ==================[ CORE Seguridad de la Informacion S.A. ]========= Iván Arce Presidente PGP Fingerprint: C7A8 ED85 8D7B 9ADC 6836 B25D 207B E78E 2AD1 F65A email : iarce () core-sdi com http://www.core-sdi.com Pte. Juan D. Peron 315 Piso 4 UF 17 1038 Capital Federal Buenos Aires, Argentina. Tel/Fax : +(54-11) 4331-5402 Casilla de Correos 877 (1000) Correo Central ===================================================================== --- For a personal reply use iarce () core-sdi com
Current thread:
- ws_ftp pro 6.51 exposes internal IP addresses Crawling KingSnake (Aug 01)
- Re: ws_ftp pro 6.51 exposes internal IP addresses Adam Prato (Aug 02)
- <Possible follow-ups>
- Re: ws_ftp pro 6.51 exposes internal IP addresses Vachon, Scott (Aug 02)
- Re: ws_ftp pro 6.51 exposes internal IP addresses Crawling KingSnake (Aug 02)
- Re: ws_ftp pro 6.51 exposes internal IP addresses Iván Arce (Aug 02)
- Re: ws_ftp pro 6.51 exposes internal IP addresses Adam Prato (Aug 02)
- Re: ws_ftp pro 6.51 exposes internal IP addresses Crawling KingSnake (Aug 02)
- Re: ws_ftp pro 6.51 exposes internal IP addresses Nick (Aug 02)
- Re: ws_ftp pro 6.51 exposes internal IP addresses Crawling KingSnake (Aug 02)
- Re: ws_ftp pro 6.51 exposes internal IP addresses Alun Jones (Aug 08)