[13836] in bugtraq
Re: FireWall-1 FTP Server Vulnerability
daemon@ATHENA.MIT.EDU (Alexandru Popa)
Tue Feb 15 14:19:16 2000
Mime-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Message-Id: <Pine.LNX.4.21.0002142201030.4674-100000@ns.ldc.ro>
Date: Mon, 14 Feb 2000 22:09:35 +0200
Reply-To: Alexandru Popa <razor@LDC.RO>
From: Alexandru Popa <razor@LDC.RO>
X-To: Lars.Troen@MERKANTILDATA.NO
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <51A8E31DE32DD211A0590008C71E7E4C59686E@tro-03-msg.merkantildata.no>
On Sat, 12 Feb 2000 Lars.Troen@MERKANTILDATA.NO wrote:
> -----Original Message-----
> From: Check Point Support [mailto:cpsuppor@ts.checkpoint.com]
> Sent: 12. februar 2000 06:01
> To: fw-1-mailinglist@lists.us.checkpoint.com
> Subject: [FW1] Check Point News Announcement
>
[snip]
> - For those using stateful inspection of passive FTP, the following
> patch
> has been supplied.
>
> Patch:
> The patch consists of a new $FWDIR/lib/base.def file that includes a fix
> to
> the problem (the file is compatible with Firewall-1 4.0 SP-5, other
> platforms will be released as soon as possible). The fix involves an
> enforcement on the existence of the newline character at the end of each
> packet on the FTP control connection, this will close off the described
> vulnerability.
[snip]
This would work fine, except that, provided someone could create a
directory named (C-syntax) "mtu-padding\r\n227 evil message\r\n" AND
change to that dir, a "PWD" would probably happily spit out the message,
in a very correct form.
Disclaimer: I am no FTP protocol expert, so the dir-making and
CWD-ing above might not work. This might also not work if the server
quotes its output properly.
------------+------------------------------------------
Alex Popa, |There never was a good war or a bad peace
razor@ldc.ro| -- B. Franklin
------------+------------------------------------------
"It took the computing power of three C-64s to fly to the Moon.
It takes a 486 to run Windows 95. Something is wrong here."
