Re: FW-1 Pasv FTP

[Mikael Olsson <mikael.olsson () enternet se>]

Stefan Norberg wrote:
> It has nothing to do with authentication in the Firewall.

Yup.

However, on another note. There's another twist regarding 
authentication and the FTP PASV vulnerabilities... 
(I'm talking FTP server authentication, not firewall authentication) 

Some people listed "do not allow anonymous FTP" as a possible 
work-around against the vulnerabilities.

This would indeed work against the attacks as published.
However, I recently realized that the above workaround buys
you next to nothing.

Watch this :)

> telnet ftp.example.dom 21
220 ftp.example.dom FTP server (Version wu-2.6.1(3) Thu Aug 10 12:40:57 MET DST 2000) ready.
user ..........227 get ready for some lovin (10, 0, 0, 1, 0, 23)
331 Password required for ..........227 get ready for some lovin (10, 0, 0, 1, 0, 23).

Oops. This means that you could use the "331" password query to
exploit these vulnerabilities, if the firewall in question doesn't
correctly follow the ENTIRE logon procedure before parsing "227" 
responses. I wonder how many firewalls actually do that :)


$.02 -- I'll stop beating the dead horse now.

/Mike

-- 
Mikael Olsson, EnterNet Sweden AB, Box 393, SE-891 28 ÖRNSKÖLDSVIK
Phone: +46-(0)660-29 92 00         Fax: +46-(0)660-122 50
Mobile: +46-(0)70-66 77 636
WWW: http://www.enternet.se        E-mail: mikael.olsson () enternet se

_______________________________________________
Firewall-wizards mailing list
Firewall-wizards () nfr net
http://www.nfr.net/mailman/listinfo/firewall-wizards