Re: Checkpoint FW-1 and "ftp missing newline char" attack

From: Rob Hughes (rob_at_robhughes.com)
Date: 09/30/04

• Next message: Rob Hughes: "Re: SecureRemote connection drops after 24 hours"
• Previous message: Casey: "Re: Stealth vs Closed ports and firewalls"
• In reply to: Liam Dolan: "Checkpoint FW-1 and "ftp missing newline char" attack"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Date: Wed, 29 Sep 2004 18:18:43 -0500

Liam Dolan is alleged to have said in comp.security.firewalls:
 
> Checking SmartView Tracker says that the firewall rejected the data
> request due to an 'ftp missing newline char' attack, and subsequent
> packets get dropped because they're out of state.
>

Run cpstop.

Look for this section:

// Use this if you do not want the FW-1 module to insist on a newline at
the
// end of the PORT command:
// #define FTPPORT(match) (call KFUNC_FTPPORT <(match)>)

#define FTP_ENFORCE_NL

Change it to this:

// Use this if you do not want the FW-1 module to insist on a newline at
the
// end of the PORT command:
#define FTPPORT(match) (call KFUNC_FTPPORT <(match)>)

//#define FTP_ENFORCE_NL

Run cpstart.

Install the policy.

Enjoy.

-- 
If at first you don't succeed, skydiving is not for you.

---

• Next message: Rob Hughes: "Re: SecureRemote connection drops after 24 hours"
• Previous message: Casey: "Re: Stealth vs Closed ports and firewalls"
• In reply to: Liam Dolan: "Checkpoint FW-1 and "ftp missing newline char" attack"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(18)