Re: Firewall-1 Session Agent, DOS and password thief

[gregory duchemin <c3rb3r () HOTMAIL COM>]

It's ok
the weakness is yet actual when using session agent 4.1 with "allow clear
passwords" option checked (typically for backward compatibility mode with
4.0 inspection module and below)

An IP wrapper is coded into the agent and then when another ip source is
catched, user is prompted to accept or reject the request, most users will
certainly accept and if they don't, it should be trivial to spoof firewall
ip on the corporate LAN even in a switched environment with arp game or icmp
redirect.
If the "Any ip adress" is checked, things are worse.

a malicious user inside an internal network could be able to use a nmap like
scanner that will look for every open port 261 over the LAN and use Andrew
Danforth's perl script to exploit the flaw.
Spoofing an authorized user ip and using its login/password, our intruder
should be almost invisible in fw logs while accessing restricted services
every versions of agent are vulnerables (3.0 -> 4.1 ) on win 9.x and NT

======================
Gregory Duchemin

Security Consultant
c3rb3r () hotmail com





> > 220 FW-1 fake session authentication
> > 331 User:
> > 331 *FireWall-1 p4ssw0rd pleazzz:
> > 200 User has now a clone, c3rb3r
> > 230 OK
>
> this was originally reported to BUGTRAQ two years ago, with an exploit.
>
>         http://msgs.securepoint.com/cgi-bin/get/bugtraq/687/1.html
>
> -d.
>
> ---
> http://www.monkey.org/~dugsong/

________________________________________________________________________
Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com