SafeTP coughs up internal server IP addresses

From: Jonathan G. Lampe (jonathanat_private)
Date: Fri Sep 27 2002 - 15:32:30 PDT

Next message: bugzillaat_private: "[Full-Disclosure] [RHSA-2002:096-24] Updated unzip and tar packages fix vulnerabilities"

Previous message: skinnayat_private: "Jetty jsp/servlet engine xss / uname disclosure vuln"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

SafeTP is (was?) "a revolutionary new security application for Windows and 
UNIX users who use FTP (File Transfer Protocol) to connect to their 
accounts on UNIX or NT/2000 FTP servers."

Basically, SafeTP tunnels FTP control and data channels over a secure 
channel.  (Similar to SSH, but it is a different protocol!)  I'm sure not 
sure if anyone still supports it, but I know a couple people out there 
still run it.

The basic problem is that any SafeTP client can get the SafeTP server to 
cough up an internal IP address if passive mode transfers are required in a 
NAT environment.  For example, check out the "227 Entering Passive Mode 
(10,7,34,85,5,133)" entry in the log below.  (169.229.60.94 is the 
public/external IP address - 10.7.34.85 is the internal IP address.)

D:\OSOmissions\snort\rules>ftps safetp.nowhere.com
220-SafeTP: Negotiating FTP connection...
220-safetp.nowhere.com X2 WS_FTP Server 3.1.0 (1506847632)
220-Changed to Protect the Innocent
220-safetp.nowhere.com X2 WS_FTP Server 3.1.0 (1506847632)
220-*** This server can accept secure (encrypted) connections. ***
220-*** See http://safetp.cs.berkeley.edu for info. ***
220 SafeTP: Control channel secure: X-SafeTP1. Data channel secure. PBSZ=32801b
Connected to safetp.nowhere.com.
User: SomeUser
331 Password required
Password: *********
230-user logged in
230-Hello Some User.  Welcome to the SafeTP File Transfer
  System!
230 user logged in
ftp> ls
200 PORT command ok.
Timed out waiting for connection from server.
ftp> passive
Passive mode  On .
ftp> ls
425 Failed to connect to 192.168.3.162, port 3303: connect: Connection 
timed out
  (code 10060)
ftp> passive
Draining: 510 Assertion failed: ftpd reply: 150 Opening ASCII data 
connection fo
r directory listing
Draining: 227 Entering Passive Mode (10,7,34,85,5,133).
Passive mode  Off .
ftp> put tendot.txt
227 Entering passive mode (169,229,60,94,156,186).
150 Opening ASCII data connection for tendot.txt
226 transfer complete
ftp: 1094 bytes sent in 0.98Seconds 1.09Kbytes/sec.
ftp> quit
221-Good-Bye
221-Goodbye Some User.  Thank you for visiting the SafeTP
  File Transfer System!
221 Good-Bye

I'm not 100% sure of this, but SafeTP is probably interpreting FTP commands 
as they go by (as do most NAT devices these days) and changing internal IPs 
into external IPs.  (I think this occurs if you if invoke the server daemon 
with the "-i" flag?).  It looks like if you can stack the message queues 
just right, you can get SafeTP to forget to do NAT.  Although this bug 
appears to be mostly harmless, there may be applications for it more 
devious minds can figure out...

* * * Vendor Notification:

I sent email messages to all the listed support contacts (Dan Bonachea - 
Windows software -  bonacheaat_private and Scott McPeak - UNIX 
software - smcpeakat_private), and asked another long-time user to do 
the same.  Neither of us got any response after a few weeks.

-jgl

Next message: bugzillaat_private: "[Full-Disclosure] [RHSA-2002:096-24] Updated unzip and tar packages fix vulnerabilities"
Previous message: skinnayat_private: "Jetty jsp/servlet engine xss / uname disclosure vuln"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Sat Sep 28 2002 - 12:33:27 PDT