On Mon, Feb 14, 2000 at 07:32:54PM -0600, monti wrote: [...snip...] > I dont really think the issue is with 'how' the PASV response and packet > appears on the wire, but with the Firewall's logic in creating a hole for > PASV ftp data connections. I think the firewall should probably be a bit > more strict about how it makes the decision to open the PASV hole and > follow rules like the following: > > First watch for: > client -> ftp-server "PASV" > > which triggers the firewall to look for this immediately afterwards: > client <- ftp-server "227 Entering Passive Mode (xxx,xxx,xxx,xxx,prt,prt) > > If any other statement is seen from client or server, before the presence > of the 227 port declaration, the attempt is ignored. This solution can't block the exploit. In the following case: C -> S "STAT -1" S -> C "." S -> C ".." C -> S "PASV" S -> C "227 Entering..." I know, this is against the RFC, but the SPF firewalls can misinterpret the whole situation. The time frame of the successful attack is very small, but maybe you can try to close the send window of the server. Maybe it works, but this is just theory. Zoltan BORBELY
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:35:13 PDT