mailing list archives
Re: Extending the FTP "ALG" vulnerability to any FTP client
From: mikael.olsson () ENTERNET SE (Mikael Olsson)
Date: Sun, 12 Mar 2000 01:31:08 +0100
Mitchell Blank Jr wrote:
It would be nice if the browsers had a "disallow FTP to non-
standard ports" checkbox.
Yup. Same thing for HTTP actually, since content analyzing filters
and the like might only be analyzing port 80 and not port 8080
Actually, on some firewalls you might be able to skip
all the aaaaaaa's then, since PORT is now legitamately another
True. Anything that reassembles the command stream completely
would be fooled by just the %0a%0d combination; no need
to fool around with packet boundaries.
This WILL work in a browser
Then that browser has a bug that needs to be fixed.
You might want to check if the (unspecified) browser has
similar bugs in other protocols.
Sorry for not specifying what browser I'm using.
This was tested on Netscape v4.7.
Preliminary reports indicate that the %0d%0a variant
of this attack does not work on MSIE4/5 since it (correctly)
strips such characters for FTP.
<un-called-for ms bashing>
Sorry for not having tested the %0a%0d variant on other browsers;
I just refuse to install MSIE. The thought of suddenly having
desktop apps (word processor etc) that can't differentiate between
local files and web stuff isn't all too appealing to me.
</un-called-for ms bashing>
Note to everyone: This does not mean that you're automatically safe
if you're using MSIE. It depends on your firewall. I'd say that
chances are fairly high that your browser of choice won't really
make a difference in 95% of the cases; the firewall is the key.
Mikael Olsson, EnterNet Sweden AB, Box 393, S-891 28 ÖRNSKÖLDSVIK
Phone: +46-(0)660-105 50 Fax: +46-(0)660-122 50
Mobile: +46-(0)70-66 77 636
WWW: http://www.enternet.se E-mail: mikael.olsson () enternet se