Full Disclosure mailing list archives
Re: A new TCP/IP blind data injection technique?
From: Michael Gale <michael () bluesuperman com>
Date: Mon, 15 Dec 2003 11:47:08 -0700
Hello, I misunderstood ... from my knowledge the BorderWare Firewall drops all fragmented packets and there is NO option to change this. You can change the MTU size on the interfaces which should allow you to correct any problems. I am not sure about Cisco Pix :( I have never found a problem with any services running behind the firewall or connecting to any services out side the firewall with the settings to drop all fragmented packets. Now according to your injection vulnerability even if a firewall recreated all the packets before sending it to the end client the vulnerability could still occur unless the firewall did some strong form of application level filtering and then some how found out that one piece of data did not belong. So with all this said how is it unwise not to drop fragmented packets and not necessary ? Michael. On Mon, 15 Dec 2003 19:17:54 +0100 (CET) Michal Zalewski <lcamtuf () ghettot org> wrote:
On Mon, 15 Dec 2003, Michael Gale wrote:Well first of all, one of the industry leading firewalls ( BorderWare Firewall Server ) does NOT pass fragmented packets.What I was asking for, is whether you have any further information about this? Or is it just the way you have it configured? I would be surprised if this is a default for commercial production-grade firewalls, as it may- quite simply - prevent some people from communicating with you in some situations. Most commercial firewall vendors go as far as disabling PMTUD just to avoid this.I have a rule at the beginning: iptables -A INPUT -f -j DROPOk - this is a very specific configuration, then. On most sane firewalls, it is not necessary to drop fragments (and, quite frankly, not particularly wise, either) - the firewall will simply reassemble all traffic before forwarding it any further (this is something you suggested is going to be implemented for BorderWare, and a functionality present for long years on systems like Linux).. Cheers, -- ------------------------- bash$ :(){ :|:&};: -- Michal Zalewski * [http://lcamtuf.coredump.cx] Did you know that clones never use mirrors? --------------------------- 2003-12-15 19:05 -- http://lcamtuf.coredump.cx/photo/current/
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Re: A new TCP/IP blind data injection technique?, (continued)
- Re: A new TCP/IP blind data injection technique? Valdis . Kletnieks (Dec 11)
- Re: A new TCP/IP blind data injection technique? Mikael Abrahamsson (Dec 11)
- Re: A new TCP/IP blind data injection technique? Valdis . Kletnieks (Dec 11)
- RE: A new TCP/IP blind data injection technique? David Gillett (Dec 11)
- Re: A new TCP/IP blind data injection technique? Michael Gale (Dec 13)
- Re: A new TCP/IP blind data injection technique? Michal Zalewski (Dec 13)
- Re: A new TCP/IP blind data injection technique? Valdis . Kletnieks (Dec 13)
- Re: A new TCP/IP blind data injection technique? Michael Gale (Dec 13)
- Re: A new TCP/IP blind data injection technique? Michal Zalewski (Dec 14)
- Re: A new TCP/IP blind data injection technique? Michael Gale (Dec 15)
- Re: A new TCP/IP blind data injection technique? Michal Zalewski (Dec 15)
- Re: A new TCP/IP blind data injection technique? Michael Gale (Dec 15)
- Breaking the checksum (a new TCP/IP blind data injection technique) Michal Zalewski (Dec 14)