Dug Song wrote:
>
> other avenues of attack identified in our presentation were indeed
> generic
In support of Dug's statements, if anyone is doubting him:
In my experience, a lot of "generic" stuff actually works. On
different products from different vendors. Many are guilty
of committing the same old sins over and over again.
(Buffer overruns is one glaring example here.)
An on-topic example which is not just an example of
sloppy programming, but rather flawed algorithms:
The FTP PORT and PASV vulnerabilities reported back in March, were,
on my part, only the result of me trying to design a good way to
support FTP with back channels in a firewall.
A series of thoughts led me from "If I was really lame, I'd just
cheat and do it this and that way" through "damn, that opens up a lot
of holes" to "I wonder just how many people out there are cheating",
which led to my posts. (Yes, the dataprotect people had independently
found and tested the FW-1 PASV vulnerability right at that time.)
The posts were followed up by several people from the security
community with actual tests, and, yes, indeed, a lot of firewall
developers are evidentally lame. Or, to turn around and defend
those developers: "not allowed enough time by their marketing
department to design good algorithms", which would instead
imply that their CEOs are lame ;)
$.02
/Mike
On a side note: NO this is NOT a problem only with stateful
inspection firewalls; similar exploits WILL work with proxy
firewalls, especially against FTP clients. They just have to
be crafted a bit more carefully. I might even sit may arse
down and hack one up some day when I get enough spare time
(will likely coincide with the approximate time when pigs
learn how to fly).
Oh, and for those that wonder: How do you support today's back
channeling protocols safely?
The answer is: You don't. Not in a normal firewall at least.
On a bastion host that is properly hardened that you can
telnet to? Well, now we're getting somewhere.
--
Mikael Olsson, EnterNet Sweden AB, Box 393, S-891 28 �RNSK�LDSVIK
Phone: +46 (0)660 29 92 00 Direct: +46 (0)660 29 92 05
Mobile: +46 (0)70 66 77 636 Fax: +46 (0)660 122 50
WWW: http://www.enternet.se/ E-mail: [EMAIL PROTECTED]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
