bugs in ftp conntrack

All of lore.kernel.org
 help / color / mirror / Atom feed

From: "YU\, Haitao" <yuhaitao@tsinghua.org.cn>
To: netfilter-devel@lists.netfilter.org
Subject: bugs in ftp conntrack
Date: Tue, 22 May 2007 14:24:37 +0800	[thread overview]
Message-ID: <379815077.04066@tsinghua.org.cn> (raw)

Hi,

If the order of ftp packets are wrong, function find_nl_seq() in
net/ipv4/netfilter/ip_conntrack_ftp.c will make mistake.

i.e., consider three ftp packets: "port", "list" and "noop", 
if the "list" and "noop" packets reach firewall before "port" packet,
then info->seq_aft_nl will record  the sequence of "noop". Kenerl will
not parse "port" packet because the seq does not match the recored one .

If kernel can't trace expect connection, then the attack described in
[phrack-63, 0x13] will happen.

Another problem is if the packet length is changed bye NAT, then the
next packet will not be parsed. So kernel can not parse the 2nd "port"
packet of two continual "port" packets. Though it's impossible in legal
ftp connection, and I also don't know how to use this to hack firewall.

Third, the value of "oldest" in function udpate_bl_seq() seem unchanged
after four packets.

Regards,

YU, haitao

next             reply	other threads:[~2007-05-22  6:24 UTC|newest]

Thread overview: 8+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2007-05-22  6:24 YU, Haitao [this message]
2007-05-24 18:16 ` bugs in ftp conntrack Patrick McHardy
  -- strict thread matches above, loose matches on Subject: below --
2007-05-25  1:10 YU, Haitao
2007-05-26  3:28 ` Henrik Nordstrom
2007-05-26  9:07   ` Patrick McHardy
2007-05-26  9:03 ` Patrick McHardy
2007-05-27  1:35 YU, Haitao
2007-05-28  3:04 YU, Haitao

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=379815077.04066@tsinghua.org.cn \
    --to=yuhaitao@tsinghua.org.cn \
    --cc=netfilter-devel@lists.netfilter.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.