>If Victim is inside the firewall, all Attacker needs to do is coerce
>Victim to initiate an outgoing connection to port 21 which then opens
>up the firewall. If Victim has an anonymous FTP server running, and the
>firewall allows a connection, this is just too easy:
Wait a moment. First if I allow outward connections only (b) goes away.
Second if Joe connects to evil.nasty and I have an intelligent machine,
then it will allow evil.nasty to make a back connection only to Joe and
only to a port greater than 1023. I can even eliminate that by requiring
only PASV connections (how I wound up connecting to Marcus' machine).
- If only PASV (passive) connections are allowed, the question will
never come up. Why invent something when we already have a fix ?
I agree there is a possible vulnerability with std FTP (if Joe is allowing
services on ports above 1023, he may be in violation of policy & I will
probably notice it in one of my sweeps) but consider it minimal. It is even
more minimal if the Firewall enforces an "approved FTP site" list.