According to Lance Spitzner: > Any malicious black-hat or disgruntled employee can fill > your connections table. Many organiztion allow all > outbound traffic. Someone can simply scan a non-existant > target outbound and fill the connections table. They > even can be sneaky about it and use nmap with the'-D' > option, so someone else gets blamed for the scanning activity. > > The main reason I consider this 'exploit' dangerous, is not only > is it easy for any black-hat to do, but it is very easy for you unfortunately there is an easy way to exploit this from the outside. By default each FireWall-1 accepts connections to its own port 256/tcp from the entire Internet. This feature can be turned off in the gui's control properties but usually it isn't: Taken from Phoneboy's FAQ, http://www.phoneboy.com/ TCP Port 256 is used for three important things: - Exchange of CA and DH keys in FWZ and SKIP encryption between two FireWall-1 Management Consoles - A SecuRemote Client uses this port to fetch the network topology and encryption key from a FireWall-1 Management Console - When instaling a policy, the management console uses this port to push the policy to the remote firewall. This means a misguided individual may trash the FireWall-1 connection table even from the outside by sending syn packets to firewall's port 256/tcp with random addresses as source. The firewall will reply with syn|ack packets to these non existing addresses, placing these connections in it's state table. I've tested this with the most recent FireWall-1 Version 4.0 Build 4064 [VPN + DES] on Sun Solaris 2.6 and and some pretty old Linux based synflood tool published in the Phrack magazine two years ago. Olaf -- Olaf Selke, olaf.selkeat_private, voice +49 5241 80-7069
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:54:47 PDT