Multiple Firewall Vendor FTP "ALG" Client Vulnerability
BID:1045
Info
Multiple Firewall Vendor FTP "ALG" Client Vulnerability
| Bugtraq ID: | 1045 |
| Class: | Configuration Error |
| CVE: | |
| Remote: | Yes |
| Local: | No |
| Published: | Mar 10 2000 12:00AM |
| Updated: | Mar 10 2000 12:00AM |
| Credit: | This vulnerability was posted to the Bugtraq mailing list by Mikael Olsson <[email protected]> An exploit for this vulnerability was made available by Dug Song <[email protected]> |
| Vulnerable: |
Cisco PIX Firewall 5.1 Cisco PIX Firewall 5.0 Cisco PIX Firewall 4.4 (4) Cisco PIX Firewall 4.3 Cisco PIX Firewall 4.2.2 Cisco PIX Firewall 4.2.1 Cisco PIX Firewall 4.1.6 b Cisco PIX Firewall 4.1.6 Check Point Software Firewall-1 4.0 Check Point Software Firewall-1 3.0 |
| Not Vulnerable: | |
Discussion
Multiple Firewall Vendor FTP "ALG" Client Vulnerability
A vulnerability exists in the handling of certain rules on many firewalls, that may allow users outside of the firewall to gain limited access to areas behind firewalls. Whereas previous descriptions of attacks of this style were server based, it is also possible to use client based programs to exploit these problems.
By sending, for instance, an email which contains a tag such as the following: <img src="ftp://ftp.rooted.com/aaaa[lots of A]aaaPORT 1,2,3,4,0,139">
By balancing the number of A's so the PORT command begins on a new boundry, the firewall will incorrectly parse the resulting RETR /aaaaaaaa[....]aaaaaPORT 1,2,3,4,0,139 as first a RETR and then PORT command, and open port 139 to the origin address. This would allow the server site to connect to port 139 on the client. Any port could be used in place of 139, unless the firewall blocks "known server ports."
Versions of Firewall-1 4.1 and prior are believed vulnerable. Versions of Cisco PIX, up to and including current 5.0(1) are believed vulnerable.
A vulnerability exists in the handling of certain rules on many firewalls, that may allow users outside of the firewall to gain limited access to areas behind firewalls. Whereas previous descriptions of attacks of this style were server based, it is also possible to use client based programs to exploit these problems.
By sending, for instance, an email which contains a tag such as the following: <img src="ftp://ftp.rooted.com/aaaa[lots of A]aaaPORT 1,2,3,4,0,139">
By balancing the number of A's so the PORT command begins on a new boundry, the firewall will incorrectly parse the resulting RETR /aaaaaaaa[....]aaaaaPORT 1,2,3,4,0,139 as first a RETR and then PORT command, and open port 139 to the origin address. This would allow the server site to connect to port 139 on the client. Any port could be used in place of 139, unless the firewall blocks "known server ports."
Versions of Firewall-1 4.1 and prior are believed vulnerable. Versions of Cisco PIX, up to and including current 5.0(1) are believed vulnerable.
Exploit / POC
Multiple Firewall Vendor FTP "ALG" Client Vulnerability
An exploit has been made available.
An exploit has been made available.
Solution / Fix
Multiple Firewall Vendor FTP "ALG" Client Vulnerability
Solution:
Checkpoint has suggested taking one of the following actions in response to the problem outlined:
o Only allow outbound FTP to trusted servers by constraining the rule base, specifically the destination machine(s). For example: " localnets trusted_ftp_sites ftp accept".
o Disallow outbound FTP through Port 21 and force all FTPs to occur via HTTP. For FireWall-1 users, this forces browser FTP traffic to the HTTP Security Server which disallows embedded non-printable characters in the URL. To implement, administrators need to set a browser's HTTP proxy to be the FireWall-1 system and create a HTTP resource rule that allows outbound connectivity. This approach blocks general outbound non-PASV FTP.
o Disallow non-PASV FTP. This can be accomplished in one of two ways: unchecking the "Enable FTP Port Command Processing" in the Services Tab of the Properties item; or use the FTP Security Server and configure to not pass PORT commands (the Properties setting takes precedence over the Security Server, in cases of conflicting settings). Note: either of these two settings disables non-PASV FTP in either direction, Check Point hopes to lift this bi-directionality restriction in a subsequent service pack.
o Weeding "ftp://" and PORT references out of all HTTP and SMTP data streams. This will eliminate the two most likely sources for clients to receive malicious HTML code. This does not eliminate hostile applets, but FireWall-1 does support stripping ActiveX and Java that can also be applied to HTTP traffic. Please note, this weeding will not work against encrypted or special encoded HTTP or SMTP datastreams. The ability to perform weeding of FTP and PORT references within HTTP and SMTP data stream was delivered in Service Pack 6 of FireWall-1 4.0 and in Hot Fix 1 of FireWall-1 4.1 Service Pack 1. For implementation documention, please consult the Service Pack or Hot Fix release notes.
Check Point Software Firewall-1 4.0
Solution:
Checkpoint has suggested taking one of the following actions in response to the problem outlined:
o Only allow outbound FTP to trusted servers by constraining the rule base, specifically the destination machine(s). For example: " localnets trusted_ftp_sites ftp accept".
o Disallow outbound FTP through Port 21 and force all FTPs to occur via HTTP. For FireWall-1 users, this forces browser FTP traffic to the HTTP Security Server which disallows embedded non-printable characters in the URL. To implement, administrators need to set a browser's HTTP proxy to be the FireWall-1 system and create a HTTP resource rule that allows outbound connectivity. This approach blocks general outbound non-PASV FTP.
o Disallow non-PASV FTP. This can be accomplished in one of two ways: unchecking the "Enable FTP Port Command Processing" in the Services Tab of the Properties item; or use the FTP Security Server and configure to not pass PORT commands (the Properties setting takes precedence over the Security Server, in cases of conflicting settings). Note: either of these two settings disables non-PASV FTP in either direction, Check Point hopes to lift this bi-directionality restriction in a subsequent service pack.
o Weeding "ftp://" and PORT references out of all HTTP and SMTP data streams. This will eliminate the two most likely sources for clients to receive malicious HTML code. This does not eliminate hostile applets, but FireWall-1 does support stripping ActiveX and Java that can also be applied to HTTP traffic. Please note, this weeding will not work against encrypted or special encoded HTTP or SMTP datastreams. The ability to perform weeding of FTP and PORT references within HTTP and SMTP data stream was delivered in Service Pack 6 of FireWall-1 4.0 and in Hot Fix 1 of FireWall-1 4.1 Service Pack 1. For implementation documention, please consult the Service Pack or Hot Fix release notes.
Check Point Software Firewall-1 4.0
-
Check Point Software SP6
http://www.checkpoint.com
References
Multiple Firewall Vendor FTP "ALG" Client Vulnerability
References:
References: