[11231] in bugtraq
Re: Simple DOS attack on FW-1
daemon@ATHENA.MIT.EDU (Olaf Selke)
Tue Aug 3 06:58:26 1999
Mime-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Message-Id: <19990801204201.26280.qmail@tarjan.mediaways.net>
Date: Sun, 1 Aug 1999 22:42:01 +0200
Reply-To: Olaf.Selke@mediaWays.net
From: Olaf Selke <Olaf.Selke@MEDIAWAYS.NET>
X-To: spitzner@DIMENSION.NET
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <Pine.GSO.4.02.9907291222390.12581-100000@dimension.net> from
"Lance Spitzner" at Jul 29, 99 12:26:17 pm
According to Lance Spitzner:
> Any malicious black-hat or disgruntled employee can fill
> your connections table. Many organiztion allow all
> outbound traffic. Someone can simply scan a non-existant
> target outbound and fill the connections table. They
> even can be sneaky about it and use nmap with the'-D'
> option, so someone else gets blamed for the scanning activity.
>
> The main reason I consider this 'exploit' dangerous, is not only
> is it easy for any black-hat to do, but it is very easy for you
unfortunately there is an easy way to exploit this from the
outside. By default each FireWall-1 accepts connections to its
own port 256/tcp from the entire Internet. This feature can be
turned off in the gui's control properties but usually it isn't:
Taken from Phoneboy's FAQ, http://www.phoneboy.com/
TCP Port 256 is used for three important things:
- Exchange of CA and DH keys in FWZ and SKIP encryption
between two FireWall-1 Management Consoles
- A SecuRemote Client uses this port to fetch the network topology
and encryption key from a FireWall-1 Management Console
- When instaling a policy, the management console uses this port
to push the policy to the remote firewall.
This means a misguided individual may trash the FireWall-1 connection
table even from the outside by sending syn packets to firewall's port
256/tcp with random addresses as source. The firewall will reply with
syn|ack packets to these non existing addresses, placing these
connections in it's state table.
I've tested this with the most recent FireWall-1 Version 4.0 Build 4064 [VPN + DES]
on Sun Solaris 2.6 and and some pretty old Linux based synflood tool published
in the Phrack magazine two years ago.
Olaf
--
Olaf Selke, olaf.selke@mediaways.net, voice +49 5241 80-7069
