Re: [Full-Disclosure] A new TCP/IP blind data injection technique?

From: Michael Gale (michael_at_bluesuperman.com)
Date: 12/13/03

  • Next message: Valdis.Kletnieks_at_vt.edu: "Re: [Full-Disclosure] A new TCP/IP blind data injection technique?" 
    To: full-disclosure@lists.netsys.com
Date: Sat, 13 Dec 2003 08:40:37 -0700

    Well then .. I am happy that non of the firewalls I use accept or pass
    fragments packets.

    Michael.

    On Sat, 13 Dec 2003 15:04:10 -0500
    Valdis.Kletnieks@vt.edu wrote:

    > On Sat, 13 Dec 2003 03:35:25 MST, Michael Gale
    > <michael@bluesuperman.com> said:
    >
    > > For example the BorderWare Firewall will not accept fragmented
    > > packets, they are working on a firewall function that when
    > > fragmented packets arrive. It will save the first piece plus all
    > > frags until the final one is received. But the packet back together
    > > and do a sanity check of some sort. Then pass or drop the packet.
    >
    > So the problem is that the host may re-assemble a fragmented packet
    > with injected data in it.
    >
    > And we protect against it by.... you got it.. having the firewall
    > re-assemble the fragmented packet with injected data and then handing
    > the re-assembled full packet (with injected data) to the host.
    >
    > Whoops.
    >

    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.netsys.com/full-disclosure-charter.html

  • Next message: Valdis.Kletnieks_at_vt.edu: "Re: [Full-Disclosure] A new TCP/IP blind data injection technique?"

    Relevant Pages

    • Re: Kerio 2.1.5 vs. Kerio 4xx
      ... >to mean all versions of Kerio, including 2.x, but it could also just mean prior ... I've tested 2.1.5 and it let through every fragmented packet I sent ... Jetico and XP firewall SP2 were also tested but not found to be ... vulnerability people are dubious. ...
      (comp.security.firewalls)
    • Re: Kerio 2.1.5 vs. Kerio 4xx
      ... subject to the recently mentioned fragmented packet exploit. ... that it lets fragmented packets thru the firewall without logging or ... logging and other problems, however, 4.1.x is not subject to the ... fragmented packet problem. ...
      (comp.security.firewalls)
    • Re: Huge security hole in Kerio 2.1.5
      ... which doesn't suffer from the fragmented packet ... > Your tone suggests that you know of some problems with EZ Firewall ... issue, but a Kerio problem. ...
      (comp.security.firewalls)
    • Re: [Full-Disclosure] A new TCP/IP blind data injection technique?
      ... > they are working on a firewall function that when fragmented packets ... So the problem is that the host may re-assemble a fragmented packet with injected ... packet (with injected data) to the host. ...
      (Full-Disclosure)