Bugtraq mailing list archives
Bypassing IP filters in Bordermanager 3.5
From: roy.karlsbakk () A-TEAM NO (Roy Sigurd Karlsbakk)
Date: Wed, 15 Mar 2000 13:11:59 +0100
After having sent this to Novell (dated 8. Feb 2000) and still missing the answer, I find it appropriate to post this here: Problem: In a recent security check/penetration test at a quite large customer in the Oslo area, I was able to bypass the IP-filter in BorderManager 3.5 and ping any host behind it. Although being able to solely ping through isn't a huge problem, but I fear the security hole can be dug larger. The interface on "my" side of the firewall had one filter rule: "DENY ANY:ANY" How: After several traditional TCP and UDP scans, I found no way to bypass it. After that, I tried fragmented SYN, NUL, FIN, ACK, and Xmas-tree scans resulting in some strange error allowing me to ping any hos behind the filter. The problem disappeared after a unload/reload of IPFLT.NLM. I was able to reproduce the problem, although it doesn't seem like it is dependant on a specific attack sequence. The result was IPFLT.NLM (or something related) eating a huge amount of memory, thereby chrashing the server. After the server came up, I managed to reproduce this without chrashing the server. I found no real pattern in what to do to break through - just stressing it enough seemed enough. Novell has later released a patch towards the port 2000 DoS-like attack, but I haven't been able to test if this solves the leak problem. Installation: NetWare 5sp4 BorderManager 3.5sp1 Tools: Linux 2.3.42 http://somewhere/ nmap 2.3 Beta 13 http://www.insecure.org/nmap/ Roy Sigurd Karlsbakk <roy.karlsbakk () a-team no> A-Team Norge as
Current thread:
- CSS Exploits + RDS (IE5), (continued)
- CSS Exploits + RDS (IE5) Shane Hird (Mar 12)
- Advisory Update: ServerIron TCP/IP predictability fixed Andrew van der Stock (Mar 12)
- Exploit for Mandrake 6.1 (PAM/userhelper bug) Paulo Ribeiro (Mar 14)
- Re: Exploit for Mandrake 6.1 (PAM/userhelper bug) Darron Froese (Mar 17)
- Re: Exploit for Mandrake 6.1 (PAM/userhelper bug) Matt Davis (Mar 17)
- Re: Exploit for Mandrake 6.1 (PAM/userhelper bug) Jeremy Gault (Mar 21)
- Oracle Web Listener 4.0.x Cerberus Security Team (Mar 14)
- Re: Advisory Update: ServerIron TCP/IP predictability fixed H D Moore (Mar 14)
- Re: Advisory Update: ServerIron TCP/IP predictability fixed Max Vision (Mar 16)
- FreeBSD Security Advisory: FreeBSD-SA-00:07.mh [REVISED] FreeBSD Security Officer (Mar 19)
- Bypassing IP filters in Bordermanager 3.5 Roy Sigurd Karlsbakk (Mar 15)
- Local / Remote DoS Attack in MERCUR WebView WebMail-Client 1.0 for Windows 98/NT Vulnerability Ussr Labs (Mar 15)
- Certificate Validation Error in Netscape Browsers... Dennis W. Mattison (Little Wolf) (Mar 15)
- TESO & C-Skills development advisory -- kreatecd Sebastian (Mar 16)
- Trend Micro release patch for "OfficeScan DoS & Message Replay" V ulnerabilies Richard Sheng (Mar 16)
- Exploit for Mandrake 6.1 (PAM/userhelper bug) Paulo Ribeiro (Mar 14)
- Re: TESO advisory -- wmcdplay Wichert Akkerman (Mar 13)