On Sat, 29 Jul 2000, Paul Cardon wrote:
> - Attacks against the Inter-Module Protocol, in particular the S/Key,
> FWN1, and FWA1 authentication. The demonstration involved unloading the
> firewall rule base from a system other than the legitimate management
> module.
> - S/Key seed exchange can be attacked by brute force since it is
> generated based on time of day.
> - FWN1 can be circumvented by replaying the hash presented by the
> server.
> - FWA1 is also subject to a trivial replay but the FWZ encryption also
> used is not a solved problem so this is only a partial attack. (Alleged
> FWZ code was anonymously posted to sci.crypt last week)
>
> - A problem with FTP PORT command parsing allows an octet of the IP
> address that is greater than 255 to modify the more significant octets
> of the IP address. The firewall interprets it differently than the ftp
> server.
>
> - A way to defeat the one-way restriction on the bogus data connection
> opened by the PASV attack announced some months ago.
>
> - FWZ encapsulation can be used to circumvent access controls in various
> misconfigurations of anti-spoofing.
>
> - Problem with handling of rsh error connections
This also included FTP error connections and the phrase "there may be
other protocols that also allow this." This is exploited with the MTU
being set so the error messages look like host/port info.
> Those are the ones I remember. I don't know if they will be releasing
> some of the code that was developed. Dug Song's ftp ozone can be used
> as the basis for a couple of the attacks while the others could be coded
> with a little bit of effort and protocol analysis.
They will apparently be releasing code, though Checkpoint has fixes
available. The other stuff was a fastroute exploit (I think in connection
with scanning via FINs- I'd have to check my notes to be sure.) and
probably the most interesting issue was using FWZ encapsulation allowed
attacks against RFC1918 addresses and loopback (turning off localhost
inter-module authentication made the FWZ encapsulation especially
effective as an attack vector.
Abusing multi- and broadcast addresses was an interesting attack vector.
The event was interesting in that other than the two files to drop on the
writable FTP server behind the firewall for the demo xterms over DNS and
to bounce-attack the "protected" FTP server from itself (ISTR the claim
that the default Solaris FTPd is still bouncing.) it was an interactive
demo, not a canned screenshot presentation. Dug's modified FWZ
encapsulating fragrouter code seemed to be the highest bar to replication
prior to code release, though they didn't release the authentication
protocol specs or code that opened the auth mechanism yet.
At the end of the continuation session Checkpoint had someone at the door
handing out URLs for the tech support site. None of the presenters had
tried the fixes yet.
Paul
-----------------------------------------------------------------------------
Paul D. Robertson "My statements in this message are personal opinions
[EMAIL PROTECTED] which may have no basis whatsoever in fact."
PSB#9280
================================================================================
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
================================================================================
