Multiple Firewall Vendor FTP "ALG" Client Vulnerability

BID:1045

Info

Multiple Firewall Vendor FTP "ALG" Client Vulnerability

Bugtraq ID: 1045
Class: Configuration Error
CVE:
Remote: Yes
Local: No
Published: Mar 10 2000 12:00AM
Updated: Mar 10 2000 12:00AM
Credit: This vulnerability was posted to the Bugtraq mailing list by Mikael Olsson <[email protected]> An exploit for this vulnerability was made available by Dug Song <[email protected]>
Vulnerable: Cisco PIX Firewall 5.1
+ Cisco PIX Firewall 515
+ Cisco PIX Firewall 520
Cisco PIX Firewall 5.0
+ Cisco PIX Firewall 515
+ Cisco PIX Firewall 520
Cisco PIX Firewall 4.4 (4)
Cisco PIX Firewall 4.3
Cisco PIX Firewall 4.2.2
Cisco PIX Firewall 4.2.1
Cisco PIX Firewall 4.1.6 b
Cisco PIX Firewall 4.1.6
Check Point Software Firewall-1 4.0
Check Point Software Firewall-1 3.0
Not Vulnerable:

Discussion

Multiple Firewall Vendor FTP "ALG" Client Vulnerability

A vulnerability exists in the handling of certain rules on many firewalls, that may allow users outside of the firewall to gain limited access to areas behind firewalls. Whereas previous descriptions of attacks of this style were server based, it is also possible to use client based programs to exploit these problems.

By sending, for instance, an email which contains a tag such as the following: <img src="ftp://ftp.rooted.com/aaaa[lots of A]aaaPORT 1,2,3,4,0,139">

By balancing the number of A's so the PORT command begins on a new boundry, the firewall will incorrectly parse the resulting RETR /aaaaaaaa[....]aaaaaPORT 1,2,3,4,0,139 as first a RETR and then PORT command, and open port 139 to the origin address. This would allow the server site to connect to port 139 on the client. Any port could be used in place of 139, unless the firewall blocks "known server ports."

Versions of Firewall-1 4.1 and prior are believed vulnerable. Versions of Cisco PIX, up to and including current 5.0(1) are believed vulnerable.

Exploit / POC

Multiple Firewall Vendor FTP "ALG" Client Vulnerability

An exploit has been made available.

Solution / Fix

Multiple Firewall Vendor FTP "ALG" Client Vulnerability

Solution:
Checkpoint has suggested taking one of the following actions in response to the problem outlined:

o Only allow outbound FTP to trusted servers by constraining the rule base, specifically the destination machine(s). For example: " localnets trusted_ftp_sites ftp accept".

o Disallow outbound FTP through Port 21 and force all FTPs to occur via HTTP. For FireWall-1 users, this forces browser FTP traffic to the HTTP Security Server which disallows embedded non-printable characters in the URL. To implement, administrators need to set a browser's HTTP proxy to be the FireWall-1 system and create a HTTP resource rule that allows outbound connectivity. This approach blocks general outbound non-PASV FTP.

o Disallow non-PASV FTP. This can be accomplished in one of two ways: unchecking the "Enable FTP Port Command Processing" in the Services Tab of the Properties item; or use the FTP Security Server and configure to not pass PORT commands (the Properties setting takes precedence over the Security Server, in cases of conflicting settings). Note: either of these two settings disables non-PASV FTP in either direction, Check Point hopes to lift this bi-directionality restriction in a subsequent service pack.

o Weeding "ftp://" and PORT references out of all HTTP and SMTP data streams. This will eliminate the two most likely sources for clients to receive malicious HTML code. This does not eliminate hostile applets, but FireWall-1 does support stripping ActiveX and Java that can also be applied to HTTP traffic. Please note, this weeding will not work against encrypted or special encoded HTTP or SMTP datastreams. The ability to perform weeding of FTP and PORT references within HTTP and SMTP data stream was delivered in Service Pack 6 of FireWall-1 4.0 and in Hot Fix 1 of FireWall-1 4.1 Service Pack 1. For implementation documention, please consult the Service Pack or Hot Fix release notes.


Check Point Software Firewall-1 4.0

References

Multiple Firewall Vendor FTP "ALG" Client Vulnerability

References:
© CVE.report 2026 |

Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.

CVE, CWE, and OVAL are registred trademarks of The MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. This site includes MITRE data granted under the following license.

Free CVE JSON API cve.report/api

CVE.report and Source URL Uptime Status status.cve.report