Vulnerability Development mailing list archives
Re: FTP Passive Connection Hijacking Script
From: Michael Wojcik <Michael.Wojcik () MERANT COM>
Date: Fri, 28 Jul 2000 09:54:43 -0700
-----Original Message----- From: Tomasz Grabowski [mailto:cadence () APOLLO ACI COM PL] The client is generating random code "random1" (it can do this the same way that the SYN number is generated). When the server will connect to clients port, he must send him that "random1" number. After that the clinet will accept data.
This type of exchange (that "random code" is typically called a "nonce") can defeat simple replay and hijacking attacks. It could also possibly be used to defeat the attack HD Moore described in the original message, with some changes: HD's attack involved stealing data, not inserting it, so the server would have to wait to receive the nonce before sending data. (HD's attack pretends to be the client, not the server.) The client would know not to send the nonce because it wouldn't be able to connect to the server's port. However, this only applies to passive mode; in active mode, HD's attack doesn't apply. The attacking program can't pretend to be the client unless it can insert a PORT command into the control flow, which is another attack entirely. However, if you're going to go to the trouble of adding a nonce to the FTP control exchange, you might as well go to an actual secured FTP, like SRP FTP. Then you have shared-secret validation with perfect forward security and data encryption. SRP is an Internet-draft, last I checked, so it's already started down the standardization path, and clients and servers are available for several platforms. And the SRP protocol was examined closely in an open process (on sci.crypt) with several knowledgeable people participating, and revised to eliminate the weaknesses that were discovered in early versions. SRP FTP still suffers from some of the security problems inherent in the FTP protocol, but it's a considerable improvement. Kermit's also been SRP-enabled, I believe. Michael Wojcik michael.wojcik () merant com MERANT Department of English, Miami University
Current thread:
- FTP Passive Connection Hijacking Script H D Moore (Jul 24)
- <Possible follow-ups>
- Re: FTP Passive Connection Hijacking Script Tomasz Grabowski (Jul 27)
- Re: FTP Passive Connection Hijacking Script Michael Wojcik (Jul 28)
- Re: FTP Passive Connection Hijacking Script Bluefish (Jul 30)