Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > Vuln-Dev> 1999-q4

Exploit-Dev Archives: Re: FreeBSD listen()

Re: FreeBSD listen()

3APA3A (3APA3ASECURITY.NNOV.RU)
Fri, 29 Oct 1999 12:45:27 +0400

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Next message: 3APA3A: "Re: FreeBSD listen()"
Previous message: Warren Young: "Re: FreeBSD listen()"
In reply to: 3APA3A: "FreeBSD listen()"
Next in thread: Matthew S. Hallacy: "Re: FreeBSD listen()"
Next in thread: David Schwartz: "Re: FreeBSD listen()"

Hello CyberPsychotic,

28.10.1999 2:12, you wrote: FreeBSD listen();

C> ~ :This fact causes problems. Some application (for example ftp server in
C> ~ :passive mode or ftp client in active mode) use
C> ~ :listen(data, 1);
C> ~ :accept(data,...);
C> ~ :close(data);
C> ~ :to limit the number of incoming data connections to exactly one. If
C> ~ :second connection is not rejected it makes possible attack to inject
C> ~ :or intercept data between server and client as described in NAI
C> ~ :bulletin

C> That is a ftp daemon/client(depending whether it's an active or passive
C> mode), which should take care of accepting only single connection and only
C> from proper source (which is surprisely being ignored by some daemons,

Sorry, but it seems you didn't catched the problem. May be my English
is too poor. The problem is that neither client no server has no way
to control number of connections, the only way they had is
C> ~ :listen(data, 1);
C> ~ :accept(data,...);
C> ~ :close(data);

Controlling IP address isn't right since it may cause the problem with
multihomed hosts.

C> such as ncftpd f.e.). However even ncftpd closes all the incoming
C> connections to the port once the first one has been accepted. Same goes

the problem is that between listen() and accept() accepting side
should inform other side which port to use. It takes some time
allowing attack. All ftp clients/ftp servers (i guess) close incoming
port after accept(). But connection is established prior to accept,
accept just allocates socket for connection that is already
established and removes connection from "pending queue".

C> with my ftp client. (shipped r.h. 6.0). So I don't think there're any
C> security issues except syn-flooding, are involved here.

Just try an exploit. Against 2.2.x it works perfectly. Run it against
any 2.2.x FTP server and try to connect it in passive mode.

3APA3A

Next message: 3APA3A: "Re: FreeBSD listen()"
Previous message: Warren Young: "Re: FreeBSD listen()"
In reply to: 3APA3A: "FreeBSD listen()"
Next in thread: Matthew S. Hallacy: "Re: FreeBSD listen()"
Next in thread: David Schwartz: "Re: FreeBSD listen()"

This archive was generated by hypermail 2.0b3 on Sat Oct 30 1999 - 16:21:43 CDT