In some email I received from Mikael Olsson, sie wrote: [...] > Second, Art Manion at CERT just reminded me of a couple of posts > from '2000 where I was talking about the STAT command, which > made me come up with this server attack scenario: > > Cli: MKD 227 Entering Passive Mode (1,2,3,4,5,6) > Srv: 200 ok > Cli: STAT 227 Entering Passive Mode (1,2,3,4,5,6) > Srv: 213-STAT > -rw-rw-r-- 1 1019 109 1123322 Sep 5 18:09 227 Entering > Passive Mode (1,2,3,4,5,6) > 213 End. > Cli: (does funky ACKing) > Srv: 227 Entering Passive Mode (1,2,3,4,5,6) > 213 End. > > The "(1,2,3,4,5,6)" string is immediately followed by CRLF. > "213 End.\r\n" will normally follow in the same packet, but > this can be suppressed through adjusting the receive window > in said funky ACK, which would result in a plain > "227 Entering Passive Mode (1,2,3,4,5,6)\r\n" segment. > > Getting such a clean string would bypass any amount of > "string sanity" verification put in place. > > I'm also wondering if there's a way of changing the "ls" field > output in some way (for some ftp daemons?). If so, we might even be > able to get "\r\n227 ... (...)\r\n" in a _properly reassembled_ > stream. ..? If you had access to the filestream, locally, you could have a file named like this: foo\r\n213 End.\r\n227 Entering Passive Mode (1,2,3,4,5,6)\r\n This sort of thing may even trip up various application layer proxies, too. But if the attacker has got access to the local filesystem in order to create that, then there is little a firewall of any sort is going to be able to do to stop them. That aside, my view on this is "funky ACKing" may be within the bounds of legal TCP operation, but it's not what any "nornmal" FTP client is going to do so throw those packets away. Darren _______________________________________________ firewall-wizards mailing list firewall-wizardsat_private http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
This archive was generated by hypermail 2b30 : Thu Oct 10 2002 - 18:21:39 PDT