Ryan Russell wrote:
>
> On Tue, 29 Feb 2000, Frederick M Avolio wrote:
>
> > At 08:12 AM 2/29/00 -0800, Ryan Russell wrote:
> > >This particular problem is also suspected to affect AGs too, correct?
> >
> > No, unless I've misunderstood the exploit. I don't think I do.
> >
> The authors of thw two advisories both claim belief that this problem will
> affect a variety of firewalls & their ilk that support PASV FTP, including
> proxies.
Correctly implemented proxies will not be vulnerable to the specific
attack posted by John McDonald and Thomas Lopatic. Mikael Olsson
speculated that it "might" be possible to similarly fool a proxy but
that it would be "a LOT harder".
If you reread the last paragraph of the stateful inspection section of
Mikael's post you can see the key difference: "This all assumes that the
firewall isn't completely reassembling the stream, but rather looking at
the contents of individual packets."
Most stateful packet inspection firewalls make filtering decisions a
packet at a time. This works best (but still isn't foolproof) when the
decisions can be made based only on header information. For protocols
like ftp where the decision must be made based on the data portion of
the packet, the information necessary to make a correct decision can not
be guaranteed to be available in a single packet. To quote Dug Song on
BUGTRAQ, "inspecting TCP application data within individual IP packets
is a basic layer violation."
Checkpoint's patch "fixes" the problem by requiring responses from the
server to be terminated by a newline and fit in a single packet. This
improves the situation at the expense of blocking some potentially valid
traffic. Unfortunately, it is still possible to exploit the real
problem by playing within FW-1's new rules. That is why one of the
alternatives would be to use their "ftp security server" (clever name to
avoid the word proxy) which presumably does reassemble the entire
control stream. Perhaps they even did it right.
-paul
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
