RE: [FW1] Blackhat briefings and Firewall-1

Sun, 30 Jul 2000 05:50:53 -0700 


Here's a page on the web about the issues.

        http://www.securitywatch.com


Regards

PD

> -----Original Message-----
> From: Paul Cardon [SMTP:[EMAIL PROTECTED]]
> Sent: Saturday, July 29, 2000 3:30 PM
> To:   Frank Darden
> Cc:   '[EMAIL PROTECTED]'
> Subject:      Re: [FW1] Blackhat briefings and Firewall-1
> 
> ***** This message originated from outside the AA *****
> 
> 
> Frank Darden wrote:
> > 
> > Apparently there was going to be new information on Firewall-1 at these
> > briefings. Has anyone attended, and if so, what was covered?
> 
> - Attacks against the Inter-Module Protocol, in particular the S/Key,
> FWN1, and FWA1 authentication.  The demonstration involved unloading the
> firewall rule base from a system other than the legitimate management
> module. 
> - S/Key seed exchange can be attacked by brute force since it is
> generated based on time of day.
> - FWN1 can be circumvented by replaying the hash presented by the
> server.
> - FWA1 is also subject to a trivial replay but the FWZ encryption also
> used is not a solved problem so this is only a partial attack.  (Alleged
> FWZ code was anonymously posted to sci.crypt last week)
> 
> - A problem with FTP PORT command parsing allows an octet of the IP
> address that is greater than 255 to modify the more significant octets
> of the IP address.  The firewall interprets it differently than the ftp
> server.
> 
> - A way to defeat the one-way restriction on the bogus data connection
> opened by the PASV attack announced some months ago.
> 
> - FWZ encapsulation can be used to circumvent access controls in various
> misconfigurations of anti-spoofing.
> 
> - Problem with handling of rsh error connections
> 
> Those are the ones I remember.  I don't know if they will be releasing
> some of the code that was developed.  Dug Song's ftp ozone can be used
> as the basis for a couple of the attacks while the others could be coded
> with a little bit of effort and protocol analysis.
> 
> -paul
> 
> 
> ==========================================================================
> ======
>      To unsubscribe from this mailing list, please see the instructions at
>                http://www.checkpoint.com/services/mailing.html
> ==========================================================================
> ======


================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================

Reply via email to