From: 3APA3A [3APA3A@SECURITY.NNOV.RU]
Sent: Friday, October 15, 1999 7:04 AM
To: VULN-DEV@SECURITYFOCUS.COM
Subject: Free BSD 2.2.x listen() problem / FTP exploit

Hello VULN-DEV@SECURITYFOCUS.COM,

  Just to break a long silence....

  Here is exploit. It works as described in NAI 1996 bulletin
  http://www.nai.com/nai_labs/asp_set/advisory/ftp-paper.asp
  Sorry, if this one isn't new - just treat it as a reminder.

  but.... there are two things i'm disagree with NAI.
  1. ftp console client under FreeBSD 2.2.x does vulnerable
  2.  Inspite  I  don't  treat  FTP  as  secured  protocol  IMHO  it's
  OS/software weakness, not FTP protocol weakness.

  I'm less then year on Bugtraq and other security-related lists, so I
  don't  know  if  this  problem  was  already discussed. I don't have
  neither time no desire to dig it in archives. But the reason exploit
  works  against FreeBSD seems to be incorrect listen() implementation
  together with ftp software weakness. If this problem (with listen())
  is new, please let me know and i'll report it.

  Works  (confirmed) against next software under FreeBSD 2.2.1-2.2.5 (
  i will be wondered if it works on some other OSes, cause the problem
  is specific):

  1.  Ftp  servers (standard FTPD and WU-FTPD - seems it's not depends
  on  version)  then  clients  connect  in  passive  mode. Data can be
  intersected then transmitted from server to client.
  2.  Standard  console  ftp  client.  Data  can  be injected (exploit
  requires  ftp  server  running  on  client  machine - FTP is used to
  predict port number).

  I  didn't  tested  injecting  data  in FTP server in active mode and
  intersecting data from client in passive mode.

  How it works:
  1.  Connects  to  ftp  server  on  victim  and
  2. uses PASV command to allocate PORT on remote machine. Then
  3. attacks few sequenced ports with connect().
  4. If connect() succeeds waits dome time for data to be received. If
  there is no data in timeout - send()s data to victim.

  Exploit  isn't  perfect. May be the better way is to use RAW-sockets
  and send SYN packets, but:
  1.  (disclaimer)  This  exploit just shows the vulnerability is. You
  must not use it for purpose other then testing your software.
  2. Compatibility.




         /\_/\
        { . . }     |\
+--oQQo->{ ^ }<-----+ \
|  3APA3A  U  3APA3A   }
+-------------o66o--+ /
                    |/
http://www.security.nnov.ru