Re: [fw-wiz] Variations of firewall ruleset bypass via FTP

From: Darren Reed (darrenr@reed.wattle.id.au)
Date: 10/12/02


From: Darren Reed <darrenr@reed.wattle.id.au>
To: "Paul D. Robertson" <proberts@patriot.net>
Date: Sat Oct 12 13:08:01 2002

I know you want this to die, but I've posed some more questions for you
to think about :)

In some email I received from Paul D. Robertson, sie wrote:
[...]
> In my mind, saying "Not vulnerable" and just relating that to the POC code
> is bad because it makes people think they're safe when they may not be, so
> if this is indeed the case, I think we'd all appreciate a more verbose
> clarification.

So what do you do ?
The last N versions since 1 Jan 2000 ?
Just test your current/latest version ?
Poll your userbase and check every version that's in use everywhere ?

As it happens, IPFilter was fixed before I got any information about
this at all from CERT. But that is of no help to anyone not running
the latest version. Then again, you need to be running a certain
make & model of ftpd before it's a problem as well.

> > Unfortunately the people behind security-officer for NetBSD have been
> > next to useless in this case and if you asked me, their largesse in
> > this case would be a good excuse to give them all the ass (it's not
> > a fun job, either.) FreeBSD has not been much better.
>
> Frankly, that's *why* we're looking to you. You're the #1 IPF authority-
> no matter what version *they* ship. If you need someone to generate
> pages of rants pointed at them, I'm obviously qualified ;)

Like I keep trying to say, if I don't get the right information then
there's not much I can do or say to provide the right help to people.
For whatever it's worth, I depend on them to provide me with information
that gets passed to them from CERT. What I guess I'm saying here is
that because I had no direct contact with anyone useful in this, looking
to me, now, is pointless. I kind of get the impression that IPfilter
may have been the only popular product that did have an issue and yet
you'd be forgiven for thinking it was a complete afterthought the way
some people acted. If there had of been some sort of direct communication
between me and CERT/ICSA/Mikael before this week then maybe things would
have worked out better. CERT at least appears to have learnt a thing or
two from this.

[...]
> "I understand the class of attack, and I know IPF isn't vulnerable,
> because I've looked at what I'm doing and compared it to the partial ACK
> issue."
>
> "I understand the class of attack, and I know that I've fixed this in the
> current version of IPF, older versions are probably vulnerable, but I'm
> not saying that explicitly."
>
> "I ran the proof-of-concept code and it didn't work, so I'm going to say
> IPF isn't vulnerable until someone proves otherwise."

All of these.
It was hard enough to even compile the damn PoC code. Plus:

"It looked like the proof-of-concept code required a special agent on the
 inside and if that's the case then I cannot protect against that."

All in all, I think I'd rather try and make some sort of celestial
alignment try and happen than have to go through all that again.
From start to end, it's been one big f*cked experience.

Darren



Relevant Pages

  • Re: [fw-wiz] Variations of firewall ruleset bypass via FTP
    ... I think you're saying this was fixed in the ... "IPFilter version $current is not vulnerable, ... >> current version of IPF, older versions are probably vulnerable, but I'm ... an explicit statement about older versions if the code behaviour affecting ...
    (Firewall-Wizards)
  • Re: Plasma TVs to be Banned
    ... drugs began to take hold. ... I remember Java Jive saying ... The degree of Bachelor Of Science (Honours) having been conferred on ... The appalling English of the cert has never struck me before! ...
    (uk.tech.digital-tv)
  • Re: Plasma TVs to be Banned
    ... I remember Java Jive saying ... The degree of Bachelor Of Science (Honours) having been conferred on ... The appalling English of the cert has never struck me before! ... qualifications they have but they v. rarely bring them out - largely ...
    (uk.tech.digital-tv)
  • Re: Cant serve ANYTHING over Sprint EDVO network.
    ... I'm not sure what you mean by self signed cert? ... ..cer file over to the PPC, installed it, and all was fine. ... Are you saying, ... Or should the server be ...
    (microsoft.public.windows.server.sbs)
  • Re: How to request renew of certificate for IIS 4.0
    ... If you saying renew....... ... view your cert properties... ... Rgds. ... > I have generated a new request file newkeyrq.txt and I am ...
    (microsoft.public.inetserver.iis.security)