[prev in list] [next in list] [prev in thread] [next in thread]
List: bugtraq
Subject: SafeTP coughs up internal server IP addresses
From: "Jonathan G. Lampe" <jonathan () stdnet ! com>
Date: 2002-09-27 22:32:30
[Download RAW message or body]
SafeTP is (was?) "a revolutionary new security application for Windows and
UNIX users who use FTP (File Transfer Protocol) to connect to their
accounts on UNIX or NT/2000 FTP servers."
Basically, SafeTP tunnels FTP control and data channels over a secure
channel. (Similar to SSH, but it is a different protocol!) I'm sure not
sure if anyone still supports it, but I know a couple people out there
still run it.
The basic problem is that any SafeTP client can get the SafeTP server to
cough up an internal IP address if passive mode transfers are required in a
NAT environment. For example, check out the "227 Entering Passive Mode
(10,7,34,85,5,133)" entry in the log below. (169.229.60.94 is the
public/external IP address - 10.7.34.85 is the internal IP address.)
D:\OSOmissions\snort\rules>ftps safetp.nowhere.com
220-SafeTP: Negotiating FTP connection...
220-safetp.nowhere.com X2 WS_FTP Server 3.1.0 (1506847632)
220-Changed to Protect the Innocent
220-safetp.nowhere.com X2 WS_FTP Server 3.1.0 (1506847632)
220-*** This server can accept secure (encrypted) connections. ***
220-*** See http://safetp.cs.berkeley.edu for info. ***
220 SafeTP: Control channel secure: X-SafeTP1. Data channel secure. PBSZ=32801b
Connected to safetp.nowhere.com.
User: SomeUser
331 Password required
Password: *********
230-user logged in
230-Hello Some User. Welcome to the SafeTP File Transfer
System!
230 user logged in
ftp> ls
200 PORT command ok.
Timed out waiting for connection from server.
ftp> passive
Passive mode On .
ftp> ls
425 Failed to connect to 192.168.3.162, port 3303: connect: Connection
timed out
(code 10060)
ftp> passive
Draining: 510 Assertion failed: ftpd reply: 150 Opening ASCII data
connection fo
r directory listing
Draining: 227 Entering Passive Mode (10,7,34,85,5,133).
Passive mode Off .
ftp> put tendot.txt
227 Entering passive mode (169,229,60,94,156,186).
150 Opening ASCII data connection for tendot.txt
226 transfer complete
ftp: 1094 bytes sent in 0.98Seconds 1.09Kbytes/sec.
ftp> quit
221-Good-Bye
221-Goodbye Some User. Thank you for visiting the SafeTP
File Transfer System!
221 Good-Bye
I'm not 100% sure of this, but SafeTP is probably interpreting FTP commands
as they go by (as do most NAT devices these days) and changing internal IPs
into external IPs. (I think this occurs if you if invoke the server daemon
with the "-i" flag?). It looks like if you can stack the message queues
just right, you can get SafeTP to forget to do NAT. Although this bug
appears to be mostly harmless, there may be applications for it more
devious minds can figure out...
* * * Vendor Notification:
I sent email messages to all the listed support contacts (Dan Bonachea -
Windows software - bonachea@cs.berkeley.edu and Scott McPeak - UNIX
software - smcpeak@cs.berkeley.edu), and asked another long-time user to do
the same. Neither of us got any response after a few weeks.
-jgl
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic