mailing list archives
Bypassing IP filters in Bordermanager 3.5
From: roy.karlsbakk () A-TEAM NO (Roy Sigurd Karlsbakk)
Date: Wed, 15 Mar 2000 13:11:59 +0100
After having sent this to Novell (dated 8. Feb 2000) and still missing the
answer, I find it appropriate to post this here:
In a recent security check/penetration test at a quite large customer in the
Oslo area, I was able to bypass the IP-filter in BorderManager 3.5 and ping
any host behind it. Although being able to solely ping through isn't a huge
problem, but I fear the security hole can be dug larger. The interface on
"my" side of the firewall had one filter rule: "DENY ANY:ANY"
After several traditional TCP and UDP scans, I found no way to bypass it.
After that, I tried fragmented SYN, NUL, FIN, ACK, and Xmas-tree scans
resulting in some strange error allowing me to ping any hos behind the
filter. The problem disappeared after a unload/reload of IPFLT.NLM. I was
able to reproduce the problem, although it doesn't seem like it is dependant
on a specific attack sequence. The result was IPFLT.NLM (or something
related) eating a huge amount of memory, thereby chrashing the server.
After the server came up, I managed to reproduce this without chrashing the
server. I found no real pattern in what to do to break through - just
stressing it enough seemed enough.
Novell has later released a patch towards the port 2000 DoS-like attack, but
I haven't been able to test if this solves the leak problem.
Linux 2.3.42 http://somewhere/
nmap 2.3 Beta 13 http://www.insecure.org/nmap/
Roy Sigurd Karlsbakk <roy.karlsbakk () a-team no>
A-Team Norge as
- CSS Exploits + RDS (IE5), (continued)