Date: Thu, 10 Feb 2000 11:23:14 +0100
From: Mikael Olsson <mikael.olsson@ENTERNET.SE.>
To: [email protected]Subject: Multiple firewalls: FTP Application Level Gateway "PASV" Vulnerability
Multiple firewalls:
FTP Application Level Gateway "PASV" Vulnerability
Synopsis
It is possible to cause certain firewalls to open up any
TCP port of your choice against FTP servers that are
"protected" by those firewalls. This is done by fooling
the FTP server into echoing "227 PASV" commands out through
the firewall.
Known affected firewalls
Firewall-1 v3 allows full communication on the opened port
Firewall-1 v4 allows only inbound communication on the opened port
NOTE: THIS IS LIKELY A PROBLEM WITH MANY FIREWALLS, DO NOT
TAKE FOR GRANTED THAT YOUR FIREWALL IS SAFE JUST BECAUSE IT IS
NOT LISTED HERE
Background
I've had this idea since late -98, but haven't gotten around to
doing anything about it. Recently, I posted a "possible vulnerability"
to [email protected], outlining my ideas. This resulted
in multiple responses from different people saying that they had
experienced attacks like this.
It would seem that I should have gone public with my concerns
a lot sooner, rather than having people frown upon them in private.
For my original, somewhat unstructed, thought process, entitled
"Breaking through FTP ALGs -- is it possible?", see:
http://www.securityfocus.com/templates/archive.pike?list=82&date=2000-02-8&msg=389FEB7B.AA290CC7@enternet.se
For an immediate confirmation regarding FW-1 v3 and v4 from
John McDonald, [email protected], and a real-life attack, entitled
"FireWall-1 FTP Server Vulnerability", see:
http://www.securityfocus.com/templates/archive.pike?list=82&date=2000-02-8&msg=38A1B2D9.3B244FAB@dataprotect.com
[Note: URLs are most likely wrapped]
This attack is most likely to work against stateful inspection
firewalls protecting servers.
It might also be possible to cause "proxy" like firewalls to
open arbitrary ports to protected servers.
In the extreme case, albeit a tad unlikely, it may be possible
to cause any type of firewall to open arbitrary ports against
FTP clients.
Take care, all
--
Mikael Olsson, EnterNet Sweden AB, Box 393, S-891 28 жRNSKжLDSVIK
Phone: +46 (0)660 105 50 Fax: +46 (0)660 122 50
Mobile: +46 (0)70 248 00 33
WWW: http://www.enternet.se E-mail: [email protected]
