On 1 Aug 2000, Paul D. Robertson wrote:
> I'd appreciate it if Robert could quantify which of the BlackHat
> published vulnerabilities also affect PIX, since all I've seen to date
> has been speculation. I also think pluralizing "firewalls" is specious
> when naming a single other product.
Cisco PIX had similar holes in their FTP proxy, only much worse - as
reported by monti on BUGTRAQ, ftp-ozone allowed you to open ANY port:
http://www.cisco.com/warp/public/707/pixftp-pub.shtml
likewise, the FTP proxies in IP filter and ip_masq had problems as well:
http://false.net/ipfilter/2000_03/0248.html
http://www.uwsg.iu.edu/hypermail/linux/kernel/0003.2/1171.html
other avenues of attack identified in our presentation were indeed
generic, at least among stateful inspection firewalls. while the actual
exploits we developed were Firewall-1 specific, this isn't to say that
some of the same techniques we used couldn't be leveraged against other
firewalls successfully - we just didn't try.
wrt denial of service - it goes without saying that a stateful inspection
firewall can be locked up with a simple state holding attack, such as
Lance Spitzner's frag flood, or something more evil:
http://www.monkey.org/~dugsong/nakji.c
but denial of service attacks are really pretty useless when the target
system fails closed. network IDSs are a better target for this sort of
thing, as they fail completely open, and usually with much less effort.
-d.
---
http://www.monkey.org/~dugsong/
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
