Firewall Wizards mailing list archives
Re: Variations of firewall ruleset bypass via FTP
From: Darren Reed <darrenr () reed wattle id au>
Date: Sun, 13 Oct 2002 01:52:06 +1000 (EST)
I know you want this to die, but I've posed some more questions for you to think about :) In some email I received from Paul D. Robertson, sie wrote: [...]
In my mind, saying "Not vulnerable" and just relating that to the POC code is bad because it makes people think they're safe when they may not be, so if this is indeed the case, I think we'd all appreciate a more verbose clarification.
So what do you do ? The last N versions since 1 Jan 2000 ? Just test your current/latest version ? Poll your userbase and check every version that's in use everywhere ? As it happens, IPFilter was fixed before I got any information about this at all from CERT. But that is of no help to anyone not running the latest version. Then again, you need to be running a certain make & model of ftpd before it's a problem as well.
Unfortunately the people behind security-officer for NetBSD have been next to useless in this case and if you asked me, their largesse in this case would be a good excuse to give them all the ass (it's not a fun job, either.) FreeBSD has not been much better.Frankly, that's *why* we're looking to you. You're the #1 IPF authority- no matter what version *they* ship. If you need someone to generate pages of rants pointed at them, I'm obviously qualified ;)
Like I keep trying to say, if I don't get the right information then there's not much I can do or say to provide the right help to people. For whatever it's worth, I depend on them to provide me with information that gets passed to them from CERT. What I guess I'm saying here is that because I had no direct contact with anyone useful in this, looking to me, now, is pointless. I kind of get the impression that IPfilter may have been the only popular product that did have an issue and yet you'd be forgiven for thinking it was a complete afterthought the way some people acted. If there had of been some sort of direct communication between me and CERT/ICSA/Mikael before this week then maybe things would have worked out better. CERT at least appears to have learnt a thing or two from this. [...]
"I understand the class of attack, and I know IPF isn't vulnerable, because I've looked at what I'm doing and compared it to the partial ACK issue." "I understand the class of attack, and I know that I've fixed this in the current version of IPF, older versions are probably vulnerable, but I'm not saying that explicitly." "I ran the proof-of-concept code and it didn't work, so I'm going to say IPF isn't vulnerable until someone proves otherwise."
All of these. It was hard enough to even compile the damn PoC code. Plus: "It looked like the proof-of-concept code required a special agent on the inside and if that's the case then I cannot protect against that." All in all, I think I'd rather try and make some sort of celestial alignment try and happen than have to go through all that again.
From start to end, it's been one big f*cked experience.
Darren _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: Variations of firewall ruleset bypass via FTP, (continued)
- Re: Variations of firewall ruleset bypass via FTP Paul D. Robertson (Oct 10)
- Re: Variations of firewall ruleset bypass via FTP Carson Gaspar (Oct 11)
- Re: Variations of firewall ruleset bypass via FTP Mikael Olsson (Oct 11)
- Re: Variations of firewall ruleset bypass via FTP Darren Reed (Oct 11)
- Re: Variations of firewall ruleset bypass via FTP Mikael Olsson (Oct 11)
- Re: Variations of firewall ruleset bypass via FTP Darren Reed (Oct 11)
- Re: Variations of firewall ruleset bypass via FTP Darren Reed (Oct 11)
- Re: Variations of firewall ruleset bypass via FTP Paul Robertson (Oct 11)
- Re: Variations of firewall ruleset bypass via FTP Darren Reed (Oct 12)
- Re: Variations of firewall ruleset bypass via FTP Paul D. Robertson (Oct 12)
- Re: Variations of firewall ruleset bypass via FTP Darren Reed (Oct 12)
- Re: Variations of firewall ruleset bypass via FTP Paul D. Robertson (Oct 12)
- Re: Variations of firewall ruleset bypass via FTP Paul D. Robertson (Oct 10)
- Re: Variations of firewall ruleset bypass via FTP Al Potter (Oct 11)
- Re: Variations of firewall ruleset bypass via FTP Paul Robertson (Oct 11)
- Re: Variations of firewall ruleset bypass via FTP Darren Reed (Oct 11)
- Re: Variations of firewall ruleset bypass via FTP Carson Gaspar (Oct 11)
- Re: Variations of firewall ruleset bypass via FTP Paul D. Robertson (Oct 14)