Vulnerability Development mailing list archives

Re: FTP Passive Connection Hijacking Script

From: Michael Wojcik <Michael.Wojcik () MERANT COM>
Date: Fri, 28 Jul 2000 09:54:43 -0700

-----Original Message-----
From: Tomasz Grabowski [mailto:cadence () APOLLO ACI COM PL]
The client is generating random code "random1" (it can do this the same
way that the SYN number is generated).
When the server will connect to clients port, he must send him that
"random1" number. After that the clinet will accept data.


This type of exchange (that "random code" is typically called a "nonce") can
defeat simple replay and hijacking attacks.

It could also possibly be used to defeat the attack HD Moore described in
the original message, with some changes: HD's attack involved stealing data,
not inserting it, so the server would have to wait to receive the nonce
before sending data.  (HD's attack pretends to be the client, not the
server.)  The client would know not to send the nonce because it wouldn't be
able to connect to the server's port.

However, this only applies to passive mode; in active mode, HD's attack
doesn't apply.  The attacking program can't pretend to be the client unless
it can insert a PORT command into the control flow, which is another attack
entirely.

However, if you're going to go to the trouble of adding a nonce to the FTP
control exchange, you might as well go to an actual secured FTP, like SRP
FTP.  Then you have shared-secret validation with perfect forward security
and data encryption.  SRP is an Internet-draft, last I checked, so it's
already started down the standardization path, and clients and servers are
available for several platforms.  And the SRP protocol was examined closely
in an open process (on sci.crypt) with several knowledgeable people
participating, and revised to eliminate the weaknesses that were discovered
in early versions.

SRP FTP still suffers from some of the security problems inherent in the FTP
protocol, but it's a considerable improvement.

Kermit's also been SRP-enabled, I believe.

Michael Wojcik             michael.wojcik () merant com
MERANT
Department of English, Miami University

Current thread:

FTP Passive Connection Hijacking Script H D Moore (Jul 24)
- <Possible follow-ups>
- Re: FTP Passive Connection Hijacking Script Tomasz Grabowski (Jul 27)
- Re: FTP Passive Connection Hijacking Script Michael Wojcik (Jul 28)
  - Re: FTP Passive Connection Hijacking Script Bluefish (Jul 30)