Re: [fw-wiz] OBSD reaction to CERT advisory

From: Daniel Hartmeier (daniel@benzedrine.cx)
Date: 10/09/02


From: Daniel Hartmeier <daniel@benzedrine.cx>
To: Paul Robertson <proberts@patriot.net>
Date: Wed Oct  9 17:46:01 2002

On Wed, Oct 09, 2002 at 04:46:19PM -0400, Paul Robertson wrote:

> It's not a SACK problem, it's a TCP segement issue,

Yes, I didn't mean 'selective ACK' as in SACK. I don't know where I
picked up that term, I think it was the advisory itself. But in context
of the advisory description, it should be clear: the attacker sends an
ftp command that the server quotes in its reply. When the reply arrives,
the attacker doesn't ACK the full response, but only the first part of
it, up to the section where the desired quote starts. Hence, the
attacker selectively ACKs the reply. The intermediate packet filter sees
only the remaining quote at the beginning of a retransmitted packet, and
confuses it with a complete reply from the server. This triggers
creation of a new state entry (for what the packet filter thinks is a
data connection the ftp server expects), which the attacker uses to
connect to another service, which should not be allowed.

And, yes, based solely on code inspection, I'm very confident that
IPFilter is vulnerable to this attack. If anyone fancies a little
competition, set up an ftp server behind an IPFilter firewall. Allow me
to connect to the ftp server (using passive mode, so the in-kernel ftp
proxy allows incoming ftp data connections). Setup a fake target, like
an echo "secret" inetd.conf entry, and absolutely filter any access to
that port on the firewall. If I can connect to that port and get the
secret, I win. How much are you betting?

Of course, the ftp server runs on a stack that actually does partial
retransmissions. I don't think these are unrealistic boundary
conditions.

Daniel



Relevant Pages

  • [incident] IIS defacement through FTP, possible DoS
    ... Was wondering if anyone is aware of an IIS FTP server exploit that allows an attacker the read/write access of a single given legimate user's folders and also zeroes the log file? ... Try www.shopkit.net Need effective e-marketing services? ...
    (Incidents)
  • Re: [incident] IIS defacement through FTP, possible DoS
    ... >Was wondering if anyone is aware of an IIS FTP server exploit that allows ... >an attacker the read/write access of a single given legimate user's ... >usernames I was seeing in a similar DoS fashion from the same time and IP ... This list is provided by the SecurityFocus ARIS analyzer service. ...
    (Incidents)
  • Re: Suse 10.2 - How secure from internet?
    ... I would steer clear of authenticated FTP because the passwords are plain ... Running an anonymous FTP server is ... I'd run SSH for everything else. ... for the attacker, that means as few public services as possible ...
    (alt.os.linux)
  • Re: Netcat reverse shell and ftp
    ... FTP server is running on his box and listens on port 23 ... now to connect type on the prompt open localhost ... The ftp server back in the attacker machine needs authentication. ...
    (Pen-Test)