mailing list archives
Re: Extending the FTP "ALG" vulnerability to any FTP client
From: avalon () COOMBS ANU EDU AU (Darren Reed)
Date: Wed, 15 Mar 2000 11:31:35 +1100
In some mail from Mitchell Blank Jr, sie said:
Mikael Olsson wrote:
* Send an email to the address in question containing an img
src ftp://ftp.rooted.com:23456 and hope that the firewall
won't realise that port 23456 is FTP.
It would be nice if the browsers had a "disallow FTP to non-
standard ports" checkbox.
That would help against the above attack, but not if we
modify it a wee bit:
Actually, on some firewalls you might be able to skip
all the aaaaaaa's then, since PORT is now legitamately another
If ftp.rooted.com is an evil ftp server, your options are very limited.
You can dump all ports < 1024, but what about 2049/tcp and 6000/tcp ?
And what about others, such a oracle, etc ?
I don't need to use a bad hyperlink in HTML to do the above, I can
equally use Java.
In this case, it does not matter if an application proxy or packet
filter job. By the time the web browser sends "CWD /aaaaaaa", it
has done a login already so sending "PORT" next is as one would
expect from the ftp proxy.
The worst case scenario that I'm aware of, in so far as ftp clients
to proxy, is "links" which packs USER/PASS/CWD/PORT/GET all into
one long string to send to the ftp server.
In comparison, I don't see nearly as many problems with passive ftp.