Multiple firewalls: FTP Application Level Gateway "PASV" Vulnerability Synopsis -------- It is possible to cause certain firewalls to open up any TCP port of your choice against FTP servers that are "protected" by those firewalls. This is done by fooling the FTP server into echoing "227 PASV" commands out through the firewall. Known affected firewalls ------------------------ Firewall-1 v3 allows full communication on the opened port Firewall-1 v4 allows only inbound communication on the opened port NOTE: THIS IS LIKELY A PROBLEM WITH MANY FIREWALLS, DO NOT TAKE FOR GRANTED THAT YOUR FIREWALL IS SAFE JUST BECAUSE IT IS NOT LISTED HERE Background ---------- I've had this idea since late -98, but haven't gotten around to doing anything about it. Recently, I posted a "possible vulnerability" to vuln-dev@securityfocus.com, outlining my ideas. This resulted in multiple responses from different people saying that they had experienced attacks like this. It would seem that I should have gone public with my concerns a lot sooner, rather than having people frown upon them in private. For my original, somewhat unstructed, thought process, entitled "Breaking through FTP ALGs -- is it possible?", see: http://www.securityfocus.com/templates/archive.pike?list=82&date=2000-02-8&msg=389FEB7B.AA290CC7@enternet.se For an immediate confirmation regarding FW-1 v3 and v4 from John McDonald, jm@dataprotect.com, and a real-life attack, entitled "FireWall-1 FTP Server Vulnerability", see: http://www.securityfocus.com/templates/archive.pike?list=82&date=2000-02-8&msg=38A1B2D9.3B244FAB@dataprotect.com [Note: URLs are most likely wrapped] This attack is most likely to work against stateful inspection firewalls protecting servers. It might also be possible to cause "proxy" like firewalls to open arbitrary ports to protected servers. In the extreme case, albeit a tad unlikely, it may be possible to cause any type of firewall to open arbitrary ports against FTP clients. Take care, all -- Mikael Olsson, EnterNet Sweden AB, Box 393, S-891 28 ÖRNSKÖLDSVIK Phone: +46 (0)660 105 50 Fax: +46 (0)660 122 50 Mobile: +46 (0)70 248 00 33 WWW: http://www.enternet.se E-mail: mikael.olsson@enternet.se