Firewall Wizards mailing list archives

Re: recent telnet vulnerability

From: ark () eltex ru
Date: Sat, 11 Aug 2001 16:21:12 +0400 (MSD)

nuqneH,

It does stop script kiddie's exploits, but is it really able to prevent the 
attack?

tn-gw (fwtk and old Gauntlet, don't have current source now) does stop
the _exploit_ too, because it does handle options sent while _initial_
handshake, but it does nothing with options sent later when session is
already estabilished (well, not actually nothing but nothing that can stop
the attacker).

YOU (Balazs Scheidler) WROTE:

 > Back to my original question, do we know any firewall that _does_protect_
 > (not _is_immune!_) this vulnerability?
 
 Although my test environment is was not complete, as it seems the Telnet
 proxy in the soon-to-be-released Zorp 1.0 stops the attack. Here's what I
 did:
 
 - downloaded exploit code from securityfocus.com (zp-exp-telnetd.c)
 - it didn't work on my telnetd, however caused a SIGSEGV (I should have
   changed offsets)
 - fired up Zorp with telnet proxy listening on port 2323 and forwarding
   requests to localhost:23, changed the exploit to connect to the proxy port
 - launched the attack, the SIGSEGV didn't occur, Zorp logs show that some
   negotiations were rejected by the proxy (it allows only the required
   negotiations for telnet to work by default, but this can be changed by
   the administrator)
 
 Zorp 1.0 is not yet released, a development version (0.9.1) can however be
 downloaded, but it doesn't contain this proxy module. It's not yet decided 
 whether the telnet proxy will be GPLd, or will only be available in the
 commercial version.


-- 
                                     _     _  _  _  _      _  _
 {::} {::} {::}  CU in Hell          _| o |_ | | _|| |   / _||_|   |_ |_ |_
 (##) (##) (##)        /Arkan#iD    |_  o  _||_| _||_| /   _|  | o |_||_||_|
 [||] [||] [||]            Do i believe in Bible? Hell,man,i've seen one!
_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://list.nfr.com/mailman/listinfo/firewall-wizards

Current thread:

Re: recent telnet vulnerability Chris Keladis (Aug 02)
- Re: recent telnet vulnerability m p (Aug 02)
  - Re: recent telnet vulnerability Jonas Eriksson (Aug 04)
- <Possible follow-ups>
- Re: recent telnet vulnerability ark (Aug 04)
  - Re: recent telnet vulnerability Balazs Scheidler (Aug 11)
    - Re: recent telnet vulnerability ark (Aug 11)
    - Re: recent telnet vulnerability Balazs Scheidler (Aug 11)