Bugtraq mailing list archives
Re: Possible security hole
From: robert.stahlbrand () AC SALCOM SE (Robert Ståhlbrand)
Date: Tue, 13 Apr 1999 14:41:23 +0200
As a reseller of FW-1 I think I should add something to this discussion. It is indeed possible to do something bad during this time. You have about 10 seconds when the FW-1 answers ping and if you portscan for something that you know is open on the machine (of course, a correct configured FW-1 has no services available) you will see that you can reach this service for about 2-3 seconds. I tried to delay the FW-1 so that we could have some more time then just 2-3 seconds with a combination of a ping- and fragmentation-flood and yes, I got more time. About 20-30 seconds. During this time the machine is very slow but I succeeded to do something "bad" on this time since I mapped the c: which is shared by default on NT. What I could have done more was to replace the binary for the rule-set with a "any any any accept" rule-base and NOW we've done something bad! I also tried to route packets through the FW-1 during this period but did not succeed. It's not very hard no write a program in for example perl to do all the above automatically. You got to know the login-name for administrator and the password of course so we got to have that first. What we also want is to be able to reboot the FW-1/NT-server remotly with some kind of DoS-attack but this is indeed possible when running on NT. No details here but there are problems in NT that causes the machine to BSoD. I'm pretty sure that someone soon will post something about this issue 8-). I've recently been in touch with Checkpoint regarding this issue and their answer is that they cannot control this because of the underlaying operating system. What they can control is IP Forwarding (thank god). So what do we learn? 1) Don't run FW-1 on NT. 2) If you do it anyway, be very careful with the configuration and strip it from every service not needed!!!!!! Cheers, Robert Ståhlbrand, Salcom AB Cristiano Lincoln Mattos wrote:
Quoting Christoforos Karatzinis <chka () SOLUTIONS IE>: Hi, The FW1 documentation clearly states that there is a small delay after the interface initialize's and the FW starts acting on it. It is possible to do something "bad" to it in this period... Regards, Cristiano Lincoln Mattos Recife / BrazilThe first 25 packets were lost before the interface'sinitialization. Thepackets with sequence number greater than 34 are dropedfrom the firewall.What about the packets with sequence number 25-34? Is itpossible thatsomeone can use this time (after the interface'sinitialization and beforethe firewall's initialization) to do something bad? Regards, Christofer
Current thread:
- Re: Possible security hole Robert Ståhlbrand (Apr 13)
- Re: Possible security hole M. Adam Kendall (Apr 13)