Firewall Wizards mailing list archives
Simple demo
From: Rik Farrow <rik () spirit com>
Date: Fri, 28 Aug 1998 11:04:35 -0700 (MST)
John McDermott <jjm () jkintl com> may have written:
I agree here, too, which prompts a question: is there some (simple) attack I can use to demonstrate that SPFs in their current form(s) are (inherently) less secure than proxies? IOW I would like to set up a simple demo to show that the internal systems can be successfully attacked even with an SPF firewall in place.
You can do a nice demo using buffer overflow attacks. I tried this about a year ago, with the IMAP daemon running under Linux. It was possible to add a new root account by connecting to the IMAP daemon and sending it an overly long (about 1500 bytes) of a carefully crafted string as the login name/password. You can simulate this by using netcat to connect to port 143 of a vulnerable Linux system (these have all been patched, right?), and sending it about 2k of random data preceded by the string "* login ". If the IMAP daemon crashes, it was vulnerable. Now for the test. Set up Checkpoint FW-1 (I tested V3.0) and Gauntlet (v 3.2), with the target host behind the firewall, and the firewall permitting access to the target hosts vulnerable IMAP server. Gauntlet, the AG, truncates the long login string, but Checkpoint, being SPF, does not. IMAP core dumps (buffer overflows) when protected by Checkpoint. The key thing here is that a properly written AG will guard against buffer overflow exploits by counting and only passing a 'reasonable' number of bytes to a server. SPF firewalls don't implement the application protocol, so are unaware of any potential buffer overflow. Of course, if all of your servers are correctly written, this is not a problem... You can also do things such as setup netcat in server mode, listening to port 53 TCP, behind Checkpoint configured to permit all DNS traffic through. Using Netcat in client mode outside the firewall, connect to the internal netcat server. PF, SPF, SMLI, and circuit relays such as SOCKS ignore the content and merrily pass along the packets. AGs 'notice' that the content is not DNS requests/responses and prevent this activity. Food for thought. Regards, Rik
Current thread:
- Simple demo Rik Farrow (Aug 28)
- <Possible follow-ups>
- RE: Simple demo John McDermott (Aug 28)