On Tue, 29 Feb 2000, Paul Cardon wrote:
Since it's a different list, folks who are curious can see the Bugtraq
thread here:
http://www.securityfocus.com/templates/archive.pike?list=1&date=2000-02-15&[EMAIL PROTECTED]
> Correctly implemented proxies will not be vulnerable to the specific
> attack posted by John McDonald and Thomas Lopatic. Mikael Olsson
> speculated that it "might" be possible to similarly fool a proxy but
> that it would be "a LOT harder".
Correctly implemented SPFs won't be vulnerable either. :) It depends
totally on how a proxy is written. There is a general problem of the
firewall trying to keep track of what state the FTP server is in. Doesn't
really matter what kind of firewall it is.
> If you reread the last paragraph of the stateful inspection section of
> Mikael's post you can see the key difference: "This all assumes that the
> firewall isn't completely reassembling the stream, but rather looking at
> the contents of individual packets."
The attack as posted depends on this. Variations mentioned may not.
Some proxies may look for strings in the stream in much the same was SPFs
do, and fall for the same tricks. Not neccessarily packet boundaries, but
just because they're looking for too small a piece of the string, for
example.
> Most stateful packet inspection firewalls make filtering decisions a
> packet at a time. This works best (but still isn't foolproof) when the
> decisions can be made based only on header information. For protocols
> like ftp where the decision must be made based on the data portion of
> the packet, the information necessary to make a correct decision can not
> be guaranteed to be available in a single packet.
I think most of the SPF vendors who have been around for a while have
figured this out. New ones crop up all the time though, so someone will
do it again.
> To quote Dug Song on
> BUGTRAQ, "inspecting TCP application data within individual IP packets
> is a basic layer violation."
True enough.
>
> Checkpoint's patch "fixes" the problem by requiring responses from the
> server to be terminated by a newline and fit in a single packet. This
> improves the situation at the expense of blocking some potentially valid
> traffic. Unfortunately, it is still possible to exploit the real
> problem by playing within FW-1's new rules.
I don't believe they have a real fix out yet.
Ryan
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
