Home page logo

bugtraq logo Bugtraq mailing list archives

Re: PIX DMZ Denial of Service - TCP Resets
From: andrew () CITEC NET (Andrew Alston)
Date: Wed, 22 Mar 2000 08:46:46 +0200

Recieved from Darren Reed:

There have been many different ways in which it has been possible to
exercise this particular target, over the years.  The general problem
here is that the PIX doesn't really provide connection security like
it should and if FW-1 is vulnerable to the same problem, then I should
be a millionaire (;-) by now.


Some interesting things to note...

Firewall-1 has an interesting method of handling resets, on receipt of a
reset, it changes the state table timeout from 3600 seconds to 50 seconds,
if no data is recieved in 50 seconds it shuts down the connection.  However,
this now opens up a very interesting possibility.  (Thanks to some friends
for these ideas).

Lets think man in the middle here, if you can man in the middle between a
firewall-1 and a external host that someone is connected to, then sniff the
connection and wait for a valid reset.  On reciept of a valid reset, assume
that the external host has now closed down the connection, however,
firewall-1's state tables are still open for that host for 50 seconds, if
you block the reset packet from going through, and then using syn/ack
sequencing that you have picked up from sniffing the said connection, you
can stop that connection from closing, and become the host that the
firewall-1 was talking to.  You then just need to sniff the replies to your
sends, and continue sending with a modified source address to be the
external host, at a minimum you then have 50 seconds to screw around with
the host behind the firewall-1, however, the moment you transmit through the
state table as the other host, if the firewall-1 sees it as a valid packet,
the state table timeout resets to 50 seconds continually, so you actually
have unlimited time to continue playing.

Of course this is just theory and I dont have a system to test it on, but
any comments would be appreciated.


Andrew Alston
Citec Network Securities (Director)
Phone: +27 11 787 4241
Fax: +27 11 787 4259
Cell: +27 83 602 5370
Email: andrew () cnsec co za

  By Date           By Thread  

Current thread:
  • Re: PIX DMZ Denial of Service - TCP Resets Andrew Alston (Mar 22)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]