Bypassing IP filters in Bordermanager 3.5

[roy.karlsbakk () A-TEAM NO (Roy Sigurd Karlsbakk)]

After having sent this to Novell (dated 8. Feb 2000) and still missing the
answer, I find it appropriate to post this here:

Problem:
In a recent security check/penetration test at a quite large customer in the
Oslo area, I was able to bypass the IP-filter in BorderManager 3.5 and ping
any host behind it. Although being able to solely ping through isn't a huge
problem, but I fear the security hole can be dug larger. The interface on
"my" side of the firewall had one filter rule: "DENY ANY:ANY"

How:
After several traditional TCP and UDP scans, I found no way to bypass it.
After that, I tried fragmented SYN, NUL, FIN, ACK, and Xmas-tree scans
resulting in some strange error allowing me to ping any hos behind the
filter. The problem disappeared after a unload/reload of IPFLT.NLM. I was
able to reproduce the problem, although it doesn't seem like it is dependant
on a specific attack sequence. The result was IPFLT.NLM (or something
related) eating a huge amount of memory, thereby chrashing the server.

After the server came up, I managed to reproduce this without chrashing the
server. I found no real pattern in what to do to break through - just
stressing it enough seemed enough.

Novell has later released a patch towards the port 2000 DoS-like attack, but
I haven't been able to test if this solves the leak problem.

Installation:
  NetWare 5sp4
  BorderManager 3.5sp1
Tools:
  Linux 2.3.42          http://somewhere/
  nmap 2.3 Beta 13      http://www.insecure.org/nmap/

Roy Sigurd Karlsbakk <roy.karlsbakk () a-team no>
A-Team Norge as