Re: CERT Advisory CA-97.27 - FTP_bounce

Kev (klmitch@MIT.EDU)
Thu, 11 Dec 1997 15:34:08 -0500 (EST)

> The problem is that this is all after authenticating the user, so
> anyone could have anyones data, even if it needs one time passwords,
> and so on.
> The only hope to avoid this is just hoping that's a too small chance to
> get to the server before the attacker, since there is a time window,
> and the port number is also a secret. (Un)fortunately, there are only
> 65536 ports, and many servers schedule port numbers sequentially. Now,
> one only needs to be so lucky to race someone with a passive
> connection.

There's another way, set forth in RFC-2228. Versions of the client and
server for UNIX exist and are shipped with the Kerberos source tree.
Additionally, I am working on putting the appropriate support (for GSSAPI)
into wu-ftpd. Using these extensions, the data can be transfered encrypted;
the attack is then reduced to a denial of service attack, as the receiver
can't do anything with the data he obtained.

Kevin L. Mitchell                                  
-------------------------  -. .---- --.. ..- -..-  -------------------------
MIT Kerberos Development Team                           Work: (617) 253-9483              PGP keys available upon request