Re: FireWall-1 FTP Server Vulnerability

[Lars.Troen () MERKANTILDATA NO (Lars.Troen () MERKANTILDATA NO)]

-----Original Message-----
From: Check Point Support [mailto:cpsuppor () ts checkpoint com]
Sent: 12. februar 2000 06:01
To: fw-1-mailinglist () lists us checkpoint com
Subject: [FW1] Check Point News Announcement

News Announcement:
http://www.checkpoint.com/techsupport/alerts/pasvftp.html

It has been brought to Check Point's attention that a possible
vulnerability
exists in the control of PASV (passive) FTP connections through
FireWall-1.
This was developed in a lab environment and requires a specific set of
conditions to have existed, in order to suceed. Check Point has no
knowledge
of its being used against production environments.

Summary of vulnerability:
FireWall-1's parsing of the FTP control connection was manipulated via
MTU
such that a FTP server PASV port number, as processed by FireWall-1, was

associated with the port number of a service with a known security issue
(in
this case, ToolTalk port vulnerability on a un-patched Solaris 2.6
system).
This enabled the client to exploit the server's vulnerability (i.e., an
in.ftpd that returned client-controlled data in an error message and
running
a possibly unnecessary service: ToolTalk) to gain root access on the
machine. This vulnerability was reported to BugTrag on Wednesday,
February
9th by John MacDonald of DataProtect.

Minimizing the possible threat:
- Do not enable PASV FTP if not needed.
- Use the FTP Security Server or HTTP security server for PASV FTP
connections to internal FTP servers.
- Those running publicly accessible FTP servers should follow good host
security practices (e.g., not running additional, possibly unnecessary
and
vulnerable services, keeping up with OS and/or application patches).
- For those using stateful inspection of passive FTP, the following
patch
has been supplied.

Patch:
The patch consists of a new $FWDIR/lib/base.def file that includes a fix
to
the problem (the file is compatible with Firewall-1 4.0 SP-5, other
platforms will be released as soon as possible). The fix involves an
enforcement on the existence of the newline character at the end of each

packet on the FTP control connection, this will close off the described
vulnerability. It should be noted that this may cause connectivity
problems
(i.e., blocked FTP connections) in the following scenarios:

1. If FTP control messages larger than the MTU (e.g., large PWD) are
exchanged.
2. If some FTP clients/servers does not put newline at the end of the
line.
3. When passing FWZ encrypted traffic through an intermediate Firewall
gateway.
The enforcement can be easily disabled by commenting the following line
in
the base.def file (or by restoring the original base.def file):
#define FTP_ENFORCE_NL

Thank you,
Check Point Software Technical Services