[13938] in bugtraq
Re: FireWall-1 FTP Server Vulnerability
daemon@ATHENA.MIT.EDU (Dug Song)
Mon Feb 21 15:06:52 2000
Mime-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Message-Id: <Pine.BSO.4.10.10002181711020.9857-100000@funky.monkey.org>
Date: Fri, 18 Feb 2000 23:27:26 -0500
Reply-To: Dug Song <dugsong@MONKEY.ORG>
From: Dug Song <dugsong@MONKEY.ORG>
X-To: BUGTRAQ@SECURITYFOCUS.COM
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <38ACC97A.4BFCC6E4@enternet.se>
On Fri, 18 Feb 2000, Mikael Olsson wrote:
> The only solution that even begins to look "good" is to completely
> reassemble the TCP stream and not make "educated" guesses about what
> packet data belongs on what line and in which order and state of the
> FTP protocol.
inspecting TCP application data within individual IP packets is a basic
layer violation. network IDSs also suffer from this problem, only worse.
fragrouter demonstrates this nicely.
reassembling the TCP stream will only get you so far - your proxy still
needs to actually implement the application protocol correctly. i'm
releasing a 'fragproxy' tool soon to demonstrate this.
but for now, an ObLameExploit:
http://www.monkey.org/~dugsong/ftp-ozone.c.txt
-d.
---
http://www.monkey.org/~dugsong/
