Vulnerability Development: Re: Linksys 4-port Router NAT/Firewall

[Ed Padin <epadin () WAGWEB COM>]

I have a friend using the Linksys router for RAS/PPOE on a bell atlantic DSL
connection. I scanned his with nmap and all tcp ports where closed and in
'stealth mode' so that no reponses where sent about closed ports. UDP was
another story. I was able to quickly scan the first 1448 ports with nmap and
got the following:

Interesting ports on  (X.X.X.X):
(The 1442 ports scanned but not shown below are in state: closed)
Port       State       Service
67/udp     open        bootps
69/udp     open        tftp
520/udp    open        route
1080/udp   open        socks <---- hmmm....
1083/udp   open        ansoft-lm-1
1084/udp   open        ansoft-lm-2


It didn't even throttle the ICMP port closed packets the way Solaris and
other unices do so nicely.

I'm not sure what's exploitable here and if anything really is listening..
It's so hard to tell with UDP. I tried using netcat to connect to each port
but could net get it to send me back any data. It could be that it just
doesn't send an ICMP port unreachble for these ports.



> -----Original Message-----
> From: Michael Wojcik [mailto:Michael.Wojcik () MERANT COM]
> Sent: Friday, August 25, 2000 11:56 AM
> To: VULN-DEV () SECURITYFOCUS COM
> Subject: Re: Linksys 4-port Router NAT/Firewall
>
>
> > -----Original Message-----
> > From: Larry D'Anna [mailto:larry () pink dhs org]
> > Sent: Thursday, August 24, 2000 7:32 PM
> > * Litscher, Steven (Steven.Litscher () OJA STATE WI US) [000824 20:08]:
> > > [using Linksys home router / NATting firewall w/ ZoneAlarm]
> > As Bruce Schneier would say, security is a process, not a product.
> One of the implications of this statement is that security aspects -
> including risks - change over time.
>
> > A firewall is one way to make life more difficult for an
> attacker, but it
> > doesn't guarantee security by any means.  What does the linksys do?
> > What does ZoneAlarm do?  If they are doing basicly the same things
> > (and I suspect they are) and neither of them has known
> vulnerabilities
> > then it probably doesn't matter which you use.
> I humbly submit that new vulnerabilities may be found in the
> future in one
> or the other product; hence it is probably best to continue using both.
> Checking for known vulnerabilities is a good idea, but a lack of them
> shouldn't be taken as evidence that no vulnerabilities exist.
>
> Of course, it's always possible that two security products in
> combination
> may be weaker than only one.  (Indeed, it's not even
> particularly unlikely.)
> My sense, from evaluating the particular combination I have,
> is that the
> whole set is stronger than any proper subset under my threat
> model, and that
> similarly Steven would be better off keeping ZoneAlarm, since
> he apparently
> already has it installed and working.
>
> > All I'm trying to say is that you shouldn't think of a
> firewall as being
> > "safe" or "unsafe" or "safe enough".  You should think of it in terms
> > the specific functionality it provides.
> True, but you should also consider whether overlapping
> functionality may
> help one product cover unexpected deficiencies in another, and
> whether their
> combination may produce an unexpected deficiency that does not
> exist in one
> or the other used separately.
>
> In general, I wouldn't advise retiring a level of protection
> merely because
> it seems redundant.  Just because I have a NATting firewall
> router doesn't
> mean I don't want to use tcp_wrappers to restrict incoming
> connections to my
> LAN.
>
> >  See the recent thread in
> > bugtraq about using brownorrifice to totally bypass almost any
> > firewall that lets web traffic through.
> This is an instance where a connection-monitoring utility like
> ZA might (I
> haven't tested it, nor researched the behavior of ZA and BrO
> sufficiently to
> make an educated guess) provide protection against an exploit
> that a NATting
> router would not handle.  Connector monitors are generally
> fairly good at
> detecting network activity by trojans; external firewalls
> cannot do this,
> except in the cases where trojan activity has a detectable
> signature in the
> traffic itself, which are relatively rare and easy for trojan
> authors to
> avoid.
>
> Michael Wojcik             michael.wojcik () merant com
> MERANT
> Department of English, Miami University