Frank Darden wrote:
>
> Apparently there was going to be new information on Firewall-1 at these
> briefings. Has anyone attended, and if so, what was covered?
- Attacks against the Inter-Module Protocol, in particular the S/Key,
FWN1, and FWA1 authentication. The demonstration involved unloading the
firewall rule base from a system other than the legitimate management
module.
- S/Key seed exchange can be attacked by brute force since it is
generated based on time of day.
- FWN1 can be circumvented by replaying the hash presented by the
server.
- FWA1 is also subject to a trivial replay but the FWZ encryption also
used is not a solved problem so this is only a partial attack. (Alleged
FWZ code was anonymously posted to sci.crypt last week)
- A problem with FTP PORT command parsing allows an octet of the IP
address that is greater than 255 to modify the more significant octets
of the IP address. The firewall interprets it differently than the ftp
server.
- A way to defeat the one-way restriction on the bogus data connection
opened by the PASV attack announced some months ago.
- FWZ encapsulation can be used to circumvent access controls in various
misconfigurations of anti-spoofing.
- Problem with handling of rsh error connections
Those are the ones I remember. I don't know if they will be releasing
some of the code that was developed. Dug Song's ftp ozone can be used
as the basis for a couple of the attacks while the others could be coded
with a little bit of effort and protocol analysis.
-paul
================================================================================
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
================================================================================
