[10197] in bugtraq
Re: Possible security hole
daemon@ATHENA.MIT.EDU (Robert =?iso-8859-1?Q?St=E5hlbrand)
Tue Apr 13 13:35:56 1999
Date: Tue, 13 Apr 1999 14:41:23 +0200
Reply-To: Robert =?iso-8859-1?Q?St=E5hlbrand?= <robert.stahlbrand@AC.SALCOM.SE>
From: Robert =?iso-8859-1?Q?St=E5hlbrand?= <robert.stahlbrand@AC.SALCOM.SE>
X-To: lincoln@hotlink.com.br
To: BUGTRAQ@NETSPACE.ORG
As a reseller of FW-1 I think I should add something to this discussion=
.
It is indeed possible to do something bad during this time. You have
about 10 seconds when the FW-1 answers ping and if you portscan for
something that you know is open on the machine (of course, a correct
configured FW-1 has no services available) you will see that you can
reach this service for about 2-3 seconds.
I tried to delay the FW-1 so that we could have some more time then jus=
t
2-3 seconds with a combination of a ping- and fragmentation-flood and
yes, I got more time. About 20-30 seconds.
During this time the machine is very slow but I succeeded to do
something "bad" on this time since I mapped the c: which is shared by
default on NT.
What I could have done more was to replace the binary for the rule-set
with a "any any any accept" rule-base and NOW we've done something bad!
I also tried to route packets through the FW-1 during this period but
did not succeed.
It's not very hard no write a program in for example perl to do all the
above automatically. You got to know the login-name for administrator
and the password of course so we got to have that first.
What we also want is to be able to reboot the FW-1/NT-server remotly
with some kind of DoS-attack but this is indeed possible when running o=
n
NT. No details here but there are problems in NT that causes the machin=
e
to BSoD. I'm pretty sure that someone soon will post something about
this issue 8-).
I've recently been in touch with Checkpoint regarding this issue and
their answer is that they cannot control this because of the underlayin=
g
operating system. What they can control is IP Forwarding (thank god).
So what do we learn?
1) Don't run FW-1 on NT.
2) If you do it anyway, be very careful with the configuration and stri=
p
it from every service not needed!!!!!!
Cheers,
Robert St=E5hlbrand, Salcom AB
Cristiano Lincoln Mattos wrote:
> Quoting Christoforos Karatzinis <chka@SOLUTIONS.IE>:
>
> Hi,
> The FW1 documentation clearly states that there is
> a small delay after the interface initialize's and the
> FW starts acting on it. It is possible to do something
> "bad" to it in this period...
>
> Regards,
> Cristiano Lincoln Mattos
> Recife / Brazil
>
> > The first 25 packets were lost before the interface's
> initialization. The
> > packets with sequence number greater than 34 are droped
> from the firewall.
> > What about the packets with sequence number 25-34? Is it
> possible that
> > someone can use this time (after the interface's
> initialization and before
> > the firewall's initialization) to do something bad?
> >
> > Regards,
> > Christofer
