After having sent this to Novell (dated 8. Feb 2000) and still missing the answer, I find it appropriate to post this here:
Problem:
In a recent security check/penetration test at a quite large customer in the Oslo area, I was able to bypass the IP-filter in BorderManager 3.5 and ping any host behind it. Although being able to solely ping through isn't a huge problem, but I fear the security hole can be dug larger. The interface on "my" side of the firewall had one filter rule: "DENY ANY:ANY"
How:
After several traditional TCP and UDP scans, I found no way to bypass it. After that, I tried fragmented SYN, NUL, FIN, ACK, and Xmas-tree scans resulting in some strange error allowing me to ping any hos behind the filter. The problem disappeared after a unload/reload of IPFLT.NLM. I was able to reproduce the problem, although it doesn't seem like it is dependant on a specific attack sequence. The result was IPFLT.NLM (or something related) eating a huge amount of memory, thereby chrashing the server.
After the server came up, I managed to reproduce this without chrashing the server. I found no real pattern in what to do to break through - just stressing it enough seemed enough.
Novell has later released a patch towards the port 2000 DoS-like attack, but I haven't been able to test if this solves the leak problem.
Installation:
NetWare 5sp4
BorderManager 3.5sp1
Tools:
Linux 2.3.42 http://somewhere/
nmap 2.3 Beta 13 http://www.insecure.org/nmap/
Roy Sigurd Karlsbakk <[EMAIL PROTECTED]>
A-Team Norge as
