[28342] in bugtraq
Filtering devices spotting
daemon@ATHENA.MIT.EDU (Ed3f)
Wed Jan 1 15:04:02 2003
From: "Ed3f" <ed3f@overminder.com>
To: <bugtraq@securityfocus.com>
Date: Wed, 1 Jan 2003 14:27:08 +0100
Message-ID: <000001c2b199$7bc4c180$022aa8c0@thunder>
MIME-Version: 1.0
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
************************ SECURITY ALERT ************************
Systems Affected
100% of packet filtering systems included commercial
embedded devices
(no unaffected system known at the moment)
Risk
low
Overview
Multiple vendors' implementations of a packet filtering
engine doesn't check the level 4 checksum.
This could be used by an attacker to perform an active
analysis of a firewall ruleset and use OS fingerprinting
tools with firewall response packets.
Description
It's possible to spot a firewall by sending a single packet
with a level 4 broken checksum if they are configured to
reply. This problem is present even if a transparent bridge
is used.
Example:
sending a TCP SYN you'll receive a RST-ACK.
The complete study is available at:
http://www.phrack.org/phrack/60/p60-0x0c.txt
Solution
Disable reply.
Apply the patch when available.
************************* Ed3f ********************0x000002*
