According to Lance Spitzner:
> Any malicious black-hat or disgruntled employee can fill
> your connections table. Many organiztion allow all
> outbound traffic. Someone can simply scan a non-existant
> target outbound and fill the connections table. They
> even can be sneaky about it and use nmap with the'-D'
> option, so someone else gets blamed for the scanning activity.
>
> The main reason I consider this 'exploit' dangerous, is not only
> is it easy for any black-hat to do, but it is very easy for you
unfortunately there is an easy way to exploit this from the
outside. By default each FireWall-1 accepts connections to its
own port 256/tcp from the entire Internet. This feature can be
turned off in the gui's control properties but usually it isn't:
Taken from Phoneboy's FAQ, http://www.phoneboy.com/
TCP Port 256 is used for three important things:
- Exchange of CA and DH keys in FWZ and SKIP encryption
between two FireWall-1 Management Consoles
- A SecuRemote Client uses this port to fetch the network topology
and encryption key from a FireWall-1 Management Console
- When instaling a policy, the management console uses this port
to push the policy to the remote firewall.
This means a misguided individual may trash the FireWall-1 connection
table even from the outside by sending syn packets to firewall's port
256/tcp with random addresses as source. The firewall will reply with
syn|ack packets to these non existing addresses, placing these
connections in it's state table.
I've tested this with the most recent FireWall-1 Version 4.0 Build 4064 [VPN + DES]
on Sun Solaris 2.6 and and some pretty old Linux based synflood tool published
in the Phrack magazine two years ago.
Olaf
--
Olaf Selke, [EMAIL PROTECTED], voice +49 5241 80-7069
