Bugtraq mailing list archives
Addendum to Firewall-1 FTP Server Vulnerability
From: paul () MOQUIJO COM (Paul Cardon)
Date: Tue, 29 Feb 2000 22:18:41 -0500
What follows is a clarification of a statement in the advisory by John McDonald and Thomas Lopatic which can be retrieved in its entirety from the BUGTRAQ archive: 38A1B3D9.9D16EBAE () dataprotect com">http://www.securityfocus.com/templates/archive.pike?list=1&date=2000-02-8&thread=38A1B3D9.9D16EBAE () dataprotect com</A> Here is the relevant portion: "FireWall-1 monitors the packets sent from the FTP server to the client, looking for the string "227 " at the beginning of each packet. Upon a match, FireWall-1 will extract the destination IP address and the destination port given in the packet payload, verify that the specified IP address corresponds to the source address of the packet, and allow an incoming TCP connection through the firewall according to the destination IP address and the destination port extracted from the datagram." It then goes on to describe some restrictions on this TCP connection one of which is that "it cannot be to a port that is listed in FireWall-1's list of well-known TCP services." This is true of the default inspect code in the base.defs file. It really depends on the definition of the NOTSERVER_TCP_PORT macro. If the macro is modified the behavior changes. This is the reason for the difference between v3.0 and v4.x that is mentioned in the original advisory. See http://www.phoneboy.com/fw1/faq/0106.html for discussion of a change to NOTSERVER_TCP_PORT that removes the restriction on ports that are in FW-1's list of TCP services and as a result only restricts ports <1024. A Nokia machine running FW-1 4.0 with a base.defs modified according to the phoneboy FAQ item listed above has been tested and a connection can be made to any port *not matched* by the NOTSERVER_TCP_PORT macro. -paul
Current thread:
- Addendum to Firewall-1 FTP Server Vulnerability Paul Cardon (Feb 29)
- How to Write Secure Code B Potter (Mar 01)
- Re: Addendum to Firewall-1 FTP Server Vulnerability Jacek Lipkowski (Mar 02)
- Re: Addendum to Firewall-1 FTP Server Vulnerability Mikael Olsson (Mar 02)