[5779] in bugtraq
Re: CERT Advisory CA-97.27 - FTP_bounce
daemon@ATHENA.MIT.EDU (Kev)
Fri Dec 12 12:49:59 1997
Date: Thu, 11 Dec 1997 15:34:08 EST
Reply-To: klmitch@MIT.EDU
From: Kev <klmitch@MIT.EDU>
To: BUGTRAQ@NETSPACE.ORG
> The problem is that this is all after authenticating the user, so
> anyone could have anyones data, even if it needs one time passwords,
> and so on.
>
> The only hope to avoid this is just hoping that's a too small chance to
> get to the server before the attacker, since there is a time window,
> and the port number is also a secret. (Un)fortunately, there are only
> 65536 ports, and many servers schedule port numbers sequentially. Now,
> one only needs to be so lucky to race someone with a passive
> connection.
There's another way, set forth in RFC-2228. Versions of the client and
server for UNIX exist and are shipped with the Kerberos source tree.
Additionally, I am working on putting the appropriate support (for GSSAPI)
into wu-ftpd. Using these extensions, the data can be transfered encrypted;
the attack is then reduced to a denial of service attack, as the receiver
can't do anything with the data he obtained.
--
Kevin L. Mitchell klmitch@mit.edu
------------------------- -. .---- --.. ..- -..- -------------------------
MIT Kerberos Development Team Work: (617) 253-9483
http://web.mit.edu/klmitch/www/ PGP keys available upon request
