>Does anyone have anymore information on the FTP bounce attack? The only >information i have is from bugtraq. I have seen it is possible to FTP >behind a firewall. Is it possible for intruders to connect to other >things such as telnet and and web servers and retrieve the data sent? It's a nasty bug. :( It's one some of us knew about a long time ago and managed to get some of the worst holes fixed. But it's still there. :( The problem is that you can transmit data (or receive it) from any port by giving ftpd a PORT command that is different than the one you "normally" would. Simple example: find a server that allows uploads upload a file containing SMTP dialog to send a message do a PORT victim-ip,25 do a RETR filename As far as retrieving data from web servers, etc, that's a bit harder; I'm not quite sure how you'd do that. You could do some games with PORT and talk the the web server but it wouldn't let you both send up a URL *and* download the contents of the page. One-way dialogs will work fine, though. The worst bug was that the FTP server binds a port in the privileged range for the connections -- so ruserok checks for > 125 and < USRRESERVED rather than just < USRRESERVED. If you're writing code that makes assumptions about privileged ports be careful to exclude the FTP port. Of course, if you are programming using privileged ports you're making a mistake to start with. I'm concerned that some implementations of rshd might not make the requisite checks, but every one I have managed to examine is OK now. Otherwise, you wouldn't be seeing this post. :) There are two fixes, both simple and effective: 1) Announce the death of FTP and stop using it as it is now superceeded by HTTP -- if large Internet server sites stopped supporting FTP it'd be gone in 9 months 2) Bodge the ftpd to not accept PORT to IP addresses other than the one that the client is connected to Solution #1 is the one I encourage people to take. FTP is a lame duck protocol, and its call-back socket approach has caused more grief for firewall builders and security solution builders than just about anything else out there. It's especially irritating since the call-back is an artifact of pre-IP implementations, in which sockets were unidirectional and that kind of nonsense was necessary; the code just never got fixed and we've been saddled with that piece of junk ever since. mjr. "FTP must die." -- http://www.clark.net/pub/mjr