ftp.gnupg.org seems to cause problems with Checkpoint firewall1 and Cisco CSS

Pitchford, Chris - IT Security Team chris.pitchford at newsint.co.uk
Fri Mar 23 12:51:34 CET 2007


Hello all,

This is a bit of a specific problem with the FTP server serving
ftp.gnupg.org, not actually a problem with the product gnupg itself!.. 

I've noticed that the FTP server fragments the data it sends to clients
in the control connection at a really unhelpful point. It sends the
response line in one packet, then sends line terminating CR, LF in a new
packet of its own.

Here's an example of a connection from the FTP server

client		ftp.gnupg.org	SYN
ftp.gnupg.org	client		SYN,ACK
client		ftp.gnupg.org	ACK
ftp.gnupg.org	client		220 Service ready for new user.
ftp.gnupg.org	client		\r\n	(CR, LF)

Ok, why did the FTP server send 2 packets for the welcome banner? This
will be blocked by Checkpoint Firewall1 since it detects that the first
packet did not end in a CR, LF.

I've not yet seen any other FTP server that does this.

I created a work around for this.

I've seen this again, causing problem setting up a data connection.

client		ftp.gnupg.org	PASV\r\n
ftp.gnupg.org	client		227 Entering Passive Mode
(217,69,76,51,162,59).
ftp.gnupg.org	client		\r\n

This split causes a problem for a Cisco CSS that is NATing a cluster of
FTP proxies to a single IP address.

I can't find any evidence in the FTP RFC that states that the CR,LF
needs to be sent in a single packet, but I also cannot find any other
FTP server exhibiting this strange behaviour. It is certainly a waste to
send two packets when one would suffice!

It seems that the FTP server is using two calls to write() to send the
responses and banners, but that is as much as I can say.

Is there any chance you'd consider changing FTP servers? Is it private
information or I can I know the daemon you're using so I can investigate
why it is doing this and if there is a fix for the server?

Cheers

Chris

Security Consultant
News Internation Newspapers Ltd
 
"Please consider the environment before printing this e-mail" 
 
The Newspaper Marketing Agency:  Opening Up Newspapers:
 
www.nmauk.co.uk
 
This e-mail and all attachments are confidential and may be privileged. If you have received this e-mail in error, notify the sender immediately. Do not use, disseminate, store or copy it in any way. Statements or opinions in this e-mail or any attachment are those of the author and are not necessarily agreed or authorised by News International (NI). NI Group may monitor emails sent or received for operational or business reasons as permitted by law. NI Group accepts no liability for viruses introduced by this e-mail or attachments. You should employ virus checking software. News International Limited, 1 Virginia St, London E98 1XY, is the holding company for the News International group and is registered in England No 81701



More information about the Gnupg-devel mailing list