Home page logo
/

bugtraq logo Bugtraq mailing list archives

Multiple firewalls: FTP Application Level Gateway "PASV" Vulnerability
From: mikael.olsson () ENTERNET SE (Mikael Olsson)
Date: Thu, 10 Feb 2000 11:23:14 +0100


Multiple firewalls:
FTP Application Level Gateway "PASV" Vulnerability

Synopsis
--------
  It is possible to cause certain firewalls to open up any
  TCP port of your choice against FTP servers that are
  "protected" by those firewalls. This is done by fooling
  the FTP server into echoing "227 PASV" commands out through
  the firewall.

Known affected firewalls
------------------------
  Firewall-1 v3 allows full communication on the opened port
  Firewall-1 v4 allows only inbound communication on the opened port

  NOTE: THIS IS LIKELY A PROBLEM WITH MANY FIREWALLS, DO NOT
  TAKE FOR GRANTED THAT YOUR FIREWALL IS SAFE JUST BECAUSE IT IS
  NOT LISTED HERE

Background
----------

  I've had this idea since late -98, but haven't gotten around to
  doing anything about it. Recently, I posted a "possible vulnerability"
  to vuln-dev () securityfocus com, outlining my ideas. This resulted
  in multiple responses from different people saying that they had
  experienced attacks like this.

  It would seem that I should have gone public with my concerns
  a lot sooner, rather than having people frown upon them in private.

  For my original, somewhat unstructed, thought process, entitled
  "Breaking through FTP ALGs -- is it possible?", see:
389FEB7B.AA290CC7 () enternet 
se">http://www.securityfocus.com/templates/archive.pike?list=82&date=2000-02-8&msg=389FEB7B.AA290CC7 () enternet se</A>

  For an immediate confirmation regarding FW-1 v3 and v4 from
  John McDonald, jm () dataprotect com, and a real-life attack, entitled
  "FireWall-1 FTP Server Vulnerability", see:
38A1B2D9.3B244FAB () dataprotect 
com">http://www.securityfocus.com/templates/archive.pike?list=82&date=2000-02-8&msg=38A1B2D9.3B244FAB () dataprotect 
com</A>

  [Note: URLs are most likely wrapped]

  This attack is most likely to work against stateful inspection
  firewalls protecting servers.

  It might also be possible to cause "proxy" like firewalls to
  open arbitrary ports to protected servers.

  In the extreme case, albeit a tad unlikely, it may be possible
  to cause any type of firewall to open arbitrary ports against
  FTP clients.

Take care, all

--
Mikael Olsson, EnterNet Sweden AB, Box 393, S-891 28 ÖRNSKÖLDSVIK
Phone: +46 (0)660 105 50           Fax: +46 (0)660 122 50
Mobile: +46 (0)70 248 00 33
WWW: http://www.enternet.se        E-mail: mikael.olsson () enternet se



  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]