OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Re: Firewall-1 Session Agent, DOS and password thief
From: gregory duchemin (c3rb3rHOTMAIL.COM)
Date: Tue Aug 08 2000 - 09:51:36 CDT

It's ok
the weakness is yet actual when using session agent 4.1 with "allow clear
passwords" option checked (typically for backward compatibility mode with
4.0 inspection module and below)

An IP wrapper is coded into the agent and then when another ip source is
catched, user is prompted to accept or reject the request, most users will
certainly accept and if they don't, it should be trivial to spoof firewall
ip on the corporate LAN even in a switched environment with arp game or icmp
redirect.
If the "Any ip adress" is checked, things are worse.

a malicious user inside an internal network could be able to use a nmap like
scanner that will look for every open port 261 over the LAN and use Andrew
Danforth's perl script to exploit the flaw.
Spoofing an authorized user ip and using its login/password, our intruder
should be almost invisible in fw logs while accessing restricted services
every versions of agent are vulnerables (3.0 -> 4.1 ) on win 9.x and NT

======================
Gregory Duchemin

Security Consultant
c3rb3rhotmail.com

> > 220 FW-1 fake session authentication
> > 331 User:
> > 331 *FireWall-1 p4ssw0rd pleazzz:
> > 200 User has now a clone, c3rb3r
> > 230 OK
>
>this was originally reported to BUGTRAQ two years ago, with an exploit.
>
> http://msgs.securepoint.com/cgi-bin/get/bugtraq/687/1.html
>
>-d.
>
>---
>http://www.monkey.org/~dugsong/

________________________________________________________________________
Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com