ftp.gnupg.org seems to cause problems with Checkpoint firewall1 and Cisco CSS
Pitchford, Chris - IT Security Team
chris.pitchford at newsint.co.uk
Fri Mar 23 12:51:34 CET 2007
Hello all,
This is a bit of a specific problem with the FTP server serving
ftp.gnupg.org, not actually a problem with the product gnupg itself!..
I've noticed that the FTP server fragments the data it sends to clients
in the control connection at a really unhelpful point. It sends the
response line in one packet, then sends line terminating CR, LF in a new
packet of its own.
Here's an example of a connection from the FTP server
client ftp.gnupg.org SYN
ftp.gnupg.org client SYN,ACK
client ftp.gnupg.org ACK
ftp.gnupg.org client 220 Service ready for new user.
ftp.gnupg.org client \r\n (CR, LF)
Ok, why did the FTP server send 2 packets for the welcome banner? This
will be blocked by Checkpoint Firewall1 since it detects that the first
packet did not end in a CR, LF.
I've not yet seen any other FTP server that does this.
I created a work around for this.
I've seen this again, causing problem setting up a data connection.
client ftp.gnupg.org PASV\r\n
ftp.gnupg.org client 227 Entering Passive Mode
(217,69,76,51,162,59).
ftp.gnupg.org client \r\n
This split causes a problem for a Cisco CSS that is NATing a cluster of
FTP proxies to a single IP address.
I can't find any evidence in the FTP RFC that states that the CR,LF
needs to be sent in a single packet, but I also cannot find any other
FTP server exhibiting this strange behaviour. It is certainly a waste to
send two packets when one would suffice!
It seems that the FTP server is using two calls to write() to send the
responses and banners, but that is as much as I can say.
Is there any chance you'd consider changing FTP servers? Is it private
information or I can I know the daemon you're using so I can investigate
why it is doing this and if there is a fix for the server?
Cheers
Chris
Security Consultant
News Internation Newspapers Ltd
"Please consider the environment before printing this e-mail"
The Newspaper Marketing Agency: Opening Up Newspapers:
www.nmauk.co.uk
This e-mail and all attachments are confidential and may be privileged. If you have received this e-mail in error, notify the sender immediately. Do not use, disseminate, store or copy it in any way. Statements or opinions in this e-mail or any attachment are those of the author and are not necessarily agreed or authorised by News International (NI). NI Group may monitor emails sent or received for operational or business reasons as permitted by law. NI Group accepts no liability for viruses introduced by this e-mail or attachments. You should employ virus checking software. News International Limited, 1 Virginia St, London E98 1XY, is the holding company for the News International group and is registered in England No 81701
More information about the Gnupg-devel
mailing list