"Perez Lajo, Jacobo" wrote:
>
> Someone has told me that there might be a bug in that release of FW-1
> dealing with FTP traffic and its "stateful packet firewall" feature
Yes, I posted this on 2000-02-10:
-----8<-----
Multiple firewalls:
FTP Application Level Gateway "PASV" Vulnerability
Synopsis
--------
It is possible to cause certain firewalls to open up any
TCP port of your choice against FTP servers that are
"protected" by those firewalls. This is done by fooling
the FTP server into echoing "227 PASV" commands out through
the firewall.
Known affected firewalls
------------------------
Firewall-1 v3 allows full communication on the opened port
Firewall-1 v4 allows only inbound communication on the opened port
NOTE: THIS IS LIKELY A PROBLEM WITH MANY FIREWALLS, DO NOT
TAKE FOR GRANTED THAT YOUR FIREWALL IS SAFE JUST BECAUSE IT IS
NOT LISTED HERE
Background
----------
I've had this idea since late -98, but haven't gotten around to
doing anything about it. Recently, I posted a "possible vulnerability"
to [EMAIL PROTECTED], outlining my ideas. This resulted
in multiple responses from different people saying that they had
experienced attacks like this.
It would seem that I should have gone public with my concerns
a lot sooner, rather than having people frown upon them in private.
For my original, somewhat unstructed, thought process, entitled
"Breaking through FTP ALGs -- is it possible?", see:
http://www.securityfocus.com/templates/archive.pike?list=82&date=2000-02-8&[EMAIL PROTECTED]
For an immediate confirmation regarding FW-1 v3 and v4 from
John McDonald, [EMAIL PROTECTED], and a real-life attack, entitled
"FireWall-1 FTP Server Vulnerability", see:
http://www.securityfocus.com/templates/archive.pike?list=82&date=2000-02-8&[EMAIL PROTECTED]
[Note: URLs are most likely wrapped]
This attack is most likely to work against stateful inspection
firewalls protecting servers.
It might also be possible to cause "proxy" like firewalls to
open arbitrary ports to protected servers.
In the extreme case, albeit a tad unlikely, it may be possible
to cause any type of firewall to open arbitrary ports against
FTP clients.
Take care, all
--
Mikael Olsson, EnterNet Sweden AB, Box 393, S-891 28 �RNSK�LDSVIK
Phone: +46 (0)660 105 50 Fax: +46 (0)660 122 50
Mobile: +46 (0)70 248 00 33
WWW: http://www.enternet.se E-mail: [EMAIL PROTECTED]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
