Multiple firewalls: FTP Application Level Gateway "PASV"

From: Mikael Olsson (mikael.olssonat_private)
Date: Thu Feb 10 2000 - 02:23:14 PST

Next message: Bob Kline: "NT Service Pack requirements (Bell Atlantic DSL)"

Previous message: Oliver Lineham: "Re: cookies - nothing new"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Multiple firewalls:
FTP Application Level Gateway "PASV" Vulnerability

Synopsis
--------
  It is possible to cause certain firewalls to open up any
  TCP port of your choice against FTP servers that are
  "protected" by those firewalls. This is done by fooling
  the FTP server into echoing "227 PASV" commands out through
  the firewall.

Known affected firewalls
------------------------
  Firewall-1 v3 allows full communication on the opened port
  Firewall-1 v4 allows only inbound communication on the opened port

  NOTE: THIS IS LIKELY A PROBLEM WITH MANY FIREWALLS, DO NOT
  TAKE FOR GRANTED THAT YOUR FIREWALL IS SAFE JUST BECAUSE IT IS
  NOT LISTED HERE

Background
----------

  I've had this idea since late -98, but haven't gotten around to
  doing anything about it. Recently, I posted a "possible vulnerability"
  to vuln-devat_private, outlining my ideas. This resulted
  in multiple responses from different people saying that they had
  experienced attacks like this.

  It would seem that I should have gone public with my concerns
  a lot sooner, rather than having people frown upon them in private.

  For my original, somewhat unstructed, thought process, entitled
  "Breaking through FTP ALGs -- is it possible?", see:
389FEB7B.AA290CC7at_private">http://www.securityfocus.com/templates/archive.pike?list=82&date=2000-02-8&msg=389FEB7B.AA290CC7at_private


  For an immediate confirmation regarding FW-1 v3 and v4 from
  John McDonald, jmat_private, and a real-life attack, entitled
  "FireWall-1 FTP Server Vulnerability", see:
38A1B2D9.3B244FABat_private">http://www.securityfocus.com/templates/archive.pike?list=82&date=2000-02-8&msg=38A1B2D9.3B244FABat_private

  [Note: URLs are most likely wrapped]

  This attack is most likely to work against stateful inspection
  firewalls protecting servers.

  It might also be possible to cause "proxy" like firewalls to
  open arbitrary ports to protected servers.

  In the extreme case, albeit a tad unlikely, it may be possible
  to cause any type of firewall to open arbitrary ports against
  FTP clients.


Take care, all

--
Mikael Olsson, EnterNet Sweden AB, Box 393, S-891 28 ÖRNSKÖLDSVIK
Phone: +46 (0)660 105 50           Fax: +46 (0)660 122 50
Mobile: +46 (0)70 248 00 33
WWW: http://www.enternet.se        E-mail: mikael.olssonat_private

Next message: Bob Kline: "NT Service Pack requirements (Bell Atlantic DSL)"
Previous message: Oliver Lineham: "Re: cookies - nothing new"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:34:08 PDT