OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Re: FireWall-1 FTP Server Vulnerability
From: Alexandru Popa (razorLDC.RO)
Date: Mon Feb 14 2000 - 14:09:35 CST


On Sat, 12 Feb 2000 Lars.TroenMERKANTILDATA.NO wrote:

> -----Original Message-----
> From: Check Point Support [mailto:cpsupports.checkpoint.com]
> Sent: 12. februar 2000 06:01
> To: fw-1-mailinglistlists.us.checkpoint.com
> Subject: [FW1] Check Point News Announcement
>
[snip]
> - For those using stateful inspection of passive FTP, the following
> patch
> has been supplied.
>
> Patch:
> The patch consists of a new $FWDIR/lib/base.def file that includes a fix
> to
> the problem (the file is compatible with Firewall-1 4.0 SP-5, other
> platforms will be released as soon as possible). The fix involves an
> enforcement on the existence of the newline character at the end of each
> packet on the FTP control connection, this will close off the described
> vulnerability.
[snip]

This would work fine, except that, provided someone could create a
directory named (C-syntax) "mtu-padding\r\n227 evil message\r\n" AND
change to that dir, a "PWD" would probably happily spit out the message,
in a very correct form.

Disclaimer: I am no FTP protocol expert, so the dir-making and
CWD-ing above might not work. This might also not work if the server
quotes its output properly.

------------+------------------------------------------
Alex Popa, |There never was a good war or a bad peace
razorldc.ro| -- B. Franklin
------------+------------------------------------------
"It took the computing power of three C-64s to fly to the Moon.
It takes a 486 to run Windows 95. Something is wrong here."