mailing list archives
Re: [PEN-TEST] NAT / Stateful Packet Inspection Questions
From: Andre Delafontaine <andre.delafontaine () ECHOSTAR COM>
Date: Wed, 27 Sep 2000 11:06:42 -0600
I have been thinking about this exact same problem lately.
The easiest way I can think of getting around this kind of setup would
be to get the server to download and execute some nasty code by having
it visit some website (JPEG header buffer overflow in Netscape?), view
some email (Outlook attachement handling problems?) or some similar
method of inderectly contacting the server.
Once the server executes the nasty code, have it discover the NAT'ed
protocols and initiate a connection through the firewall (data tunneling
through ICMP, http, DNS, ... See recent posts on BugTraq and on this
list) to some external host that would "remote control" the inside
You do say that your setup contains a server. Is that server available
from the Internet at all? Does it serve some protocol (http, ftp)? If
so, then the firewall is doing portforwarding and won't protect that
particular service from "good-looking" traffic, i.e. traffic that passes
Stateful Packet Inspection: how can SPI know that web sever X can't
support a get request with a filename longer than Y characters without
overflowing a buffer? If we knew about the vulnerability, it would be
fixed in the server itself.
This said, this setup does offer much better protection than no firewall
at all :-)
Just me 2c,
Last yeer I kudn't spel Engineer. Now I are won.
andre.delafontaine at echostar.com
F20 DSS: BD75 66D9 5B2C 66CE 9158 BB27 B199 59CE D117 4E9F
F16 RSA: F8 04 FE 50 02 B5 03 02 F6 87 C7 8D F9 2E B8 58