Re: CERT Advisory CA-97.27 - FTP_bounce

Kev (klmitch@MIT.EDU)
Thu, 11 Dec 1997 15:34:08 -0500 (EST)

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Barry Irwin: "Re: CERT Advisory CA-97.27 - FTP_bounce"
Previous message: Aleph One: "Q163852: Invalid Operand with Locked CMPXCHG8B Instruction"
Maybe in reply to: Aleph One: "CERT Advisory CA-97.27 - FTP_bounce"
Next in thread: Barry Irwin: "Re: CERT Advisory CA-97.27 - FTP_bounce"

> The problem is that this is all after authenticating the user, so
> anyone could have anyones data, even if it needs one time passwords,
> and so on.
>
> The only hope to avoid this is just hoping that's a too small chance to
> get to the server before the attacker, since there is a time window,
> and the port number is also a secret. (Un)fortunately, there are only
> 65536 ports, and many servers schedule port numbers sequentially. Now,
> one only needs to be so lucky to race someone with a passive
> connection.

There's another way, set forth in RFC-2228. Versions of the client and
server for UNIX exist and are shipped with the Kerberos source tree.
Additionally, I am working on putting the appropriate support (for GSSAPI)
into wu-ftpd. Using these extensions, the data can be transfered encrypted;
the attack is then reduced to a denial of service attack, as the receiver
can't do anything with the data he obtained.

--
Kevin L. Mitchell                                            klmitch@mit.edu
-------------------------  -. .---- --.. ..- -..-  -------------------------
MIT Kerberos Development Team                           Work: (617) 253-9483
http://web.mit.edu/klmitch/www/              PGP keys available upon request

Next message: Barry Irwin: "Re: CERT Advisory CA-97.27 - FTP_bounce"
Previous message: Aleph One: "Q163852: Invalid Operand with Locked CMPXCHG8B Instruction"
Maybe in reply to: Aleph One: "CERT Advisory CA-97.27 - FTP_bounce"
Next in thread: Barry Irwin: "Re: CERT Advisory CA-97.27 - FTP_bounce"