Re: [fw-wiz] OBSD reaction to CERT advisory

From: Darren Reed (darrenr@reed.wattle.id.au)
Date: 10/10/02 

From: Darren Reed <darrenr@reed.wattle.id.au>
To: Daniel Hartmeier <daniel@benzedrine.cx>
Date: Thu Oct 10 14:56:42 2002

In some email I received from Daniel Hartmeier, sie wrote:
> On Thu, Oct 10, 2002 at 11:45:48PM +1000, Darren Reed wrote:
>
> > That brings me to another point, that was sorely missed in all the
> > public material I've seen so far, except maybe by Sun (and in the
> > wrong way) and that is you need a very special ftp daemon (i.e. not
> > any of the vendor ones I have tried) before it will stand a chance
> > of defeating IPFilter.
>
> How about the NetBSD ftpd?
>
> $ telnet ftp.netbsd.org 21
> Trying 2001:4f8:4:b:2e0:81ff:fe21:6563...
> Connected to ftp.netbsd.org.
> Escape character is '^]'.
> 220 ftp.netbsd.org FTP server (NetBSD-ftpd 20020615) ready.
> HELP 227 Entering Passive Mode (h1,h2,h3,h4,p1,p2)
> 502 Unknown command 227 Entering Passive Mode (h1,h2,h3,h4,p1,p2).
>
> ip_fil3.4.29/ip_ftp_pxy.c ippr_ftp_pasv() accepts that, when I tickle
> the server to retransmit the "227 ..." part, no?

From a trace when I was doing testing:
...
Sep 2 01:35:38 openbsd /bsd: IN: 18 seq 44054f9b/0 ack a9/0 len 68
Sep 2 01:35:38 openbsd /bsd: sel 0 seqmin 0/0 offset 0/0
Sep 2 01:35:38 openbsd /bsd: sel 0 ackmin 0/0 offset 0/0
Sep 2 01:35:38 openbsd /bsd: rv 1 t:seq[0] a9 seq[1] a9 0/0
Sep 2 01:35:38 openbsd /bsd: ftps_seq[1] = 44054fdf inc 0 len 68
Sep 2 01:35:38 openbsd /bsd: appr_fixseqack: seq 44054f9b ack a9

Sep 2 01:35:38 openbsd /bsd: OUT: 10 seq a9/0 ack 44054f9f/0 len 0
Sep 2 01:35:38 openbsd /bsd: sel 0 seqmin 0/0 offset 0/0
Sep 2 01:35:38 openbsd /bsd: sel 0 ackmin 0/0 offset 0/0
Sep 2 01:35:38 openbsd /bsd: rv 0 t:seq[0] 44054f9b seq[1] 44054fdf 0/0
Sep 2 01:35:38 openbsd /bsd: not ok
Sep 2 01:35:38 openbsd /bsd: proxy says bad packet received

The FTP proxy in 3.4.29 does not support partial resending of segments
(or at least did not appear to in my testing :-). RTFS.

Darren