Home page logo
/

bugtraq logo Bugtraq mailing list archives

Re: FireWall-1 FTP Server Vulnerability
From: razor () LDC RO (Alexandru Popa)
Date: Mon, 14 Feb 2000 22:09:35 +0200


On Sat, 12 Feb 2000 Lars.Troen () MERKANTILDATA NO wrote:

-----Original Message-----
From: Check Point Support [mailto:cpsuppor () ts checkpoint com]
Sent: 12. februar 2000 06:01
To: fw-1-mailinglist () lists us checkpoint com
Subject: [FW1] Check Point News Announcement

[snip]
- For those using stateful inspection of passive FTP, the following
patch
has been supplied.

Patch:
The patch consists of a new $FWDIR/lib/base.def file that includes a fix
to
the problem (the file is compatible with Firewall-1 4.0 SP-5, other
platforms will be released as soon as possible). The fix involves an
enforcement on the existence of the newline character at the end of each
packet on the FTP control connection, this will close off the described
vulnerability.
[snip]

This would work fine, except that, provided someone could create a
directory named (C-syntax) "mtu-padding\r\n227 evil message\r\n" AND
change to that dir, a "PWD" would probably happily spit out the message,
in a very correct form.

Disclaimer: I am no FTP protocol expert, so the dir-making and
CWD-ing above might not work.  This might also not work if the server
quotes its output properly.

------------+------------------------------------------
Alex Popa,  |There never was a good war or a bad peace
razor () ldc ro|                   -- B. Franklin
------------+------------------------------------------
"It took the computing power of three C-64s to fly to the Moon.
It takes a 486 to run Windows 95. Something is wrong here."


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]