Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
Subject: Re: PIX DMZ Denial of Service - TCP Resets
From: Andrew Alston (andrewCITEC.NET)
Date: Wed Mar 22 2000 - 00:46:46 CST

Recieved from Darren Reed:

There have been many different ways in which it has been possible to
exercise this particular target, over the years. The general problem
here is that the PIX doesn't really provide connection security like
it should and if FW-1 is vulnerable to the same problem, then I should
be a millionaire (;-) by now.


Some interesting things to note...

Firewall-1 has an interesting method of handling resets, on receipt of a reset, it changes the state table timeout from 3600 seconds to 50 seconds, if no data is recieved in 50 seconds it shuts down the connection. However, this now opens up a very interesting possibility. (Thanks to some friends for these ideas).

Lets think man in the middle here, if you can man in the middle between a firewall-1 and a external host that someone is connected to, then sniff the connection and wait for a valid reset. On reciept of a valid reset, assume that the external host has now closed down the connection, however, firewall-1's state tables are still open for that host for 50 seconds, if you block the reset packet from going through, and then using syn/ack sequencing that you have picked up from sniffing the said connection, you can stop that connection from closing, and become the host that the firewall-1 was talking to. You then just need to sniff the replies to your sends, and continue sending with a modified source address to be the external host, at a minimum you then have 50 seconds to screw around with the host behind the firewall-1, however, the moment you transmit through the state table as the other host, if the firewall-1 sees it as a valid packet, the state table timeout resets to 50 seconds continually, so you actually have unlimited time to continue playing.

Of course this is just theory and I dont have a system to test it on, but any comments would be appreciated.


Andrew Alston Citec Network Securities (Director) Phone: +27 11 787 4241 Fax: +27 11 787 4259 Cell: +27 83 602 5370 Email: andrewcnsec.co.za