Bugtraq mailing list archives
Re: Firewall-1 Session Agent, DOS and password thief
From: gregory duchemin <c3rb3r () HOTMAIL COM>
Date: Tue, 8 Aug 2000 14:51:36 GMT
It's ok the weakness is yet actual when using session agent 4.1 with "allow clear passwords" option checked (typically for backward compatibility mode with 4.0 inspection module and below) An IP wrapper is coded into the agent and then when another ip source is catched, user is prompted to accept or reject the request, most users will certainly accept and if they don't, it should be trivial to spoof firewall ip on the corporate LAN even in a switched environment with arp game or icmp redirect. If the "Any ip adress" is checked, things are worse. a malicious user inside an internal network could be able to use a nmap like scanner that will look for every open port 261 over the LAN and use Andrew Danforth's perl script to exploit the flaw. Spoofing an authorized user ip and using its login/password, our intruder should be almost invisible in fw logs while accessing restricted services every versions of agent are vulnerables (3.0 -> 4.1 ) on win 9.x and NT ====================== Gregory Duchemin Security Consultant c3rb3r () hotmail com
> 220 FW-1 fake session authentication > 331 User: > 331 *FireWall-1 p4ssw0rd pleazzz: > 200 User has now a clone, c3rb3r > 230 OK this was originally reported to BUGTRAQ two years ago, with an exploit. http://msgs.securepoint.com/cgi-bin/get/bugtraq/687/1.html -d. --- http://www.monkey.org/~dugsong/
________________________________________________________________________ Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com
Current thread:
- Firewall-1 Session Agent, DOS and password thief gregory duchemin (Aug 07)
- Re: Firewall-1 Session Agent, DOS and password thief Dug Song (Aug 07)
- <Possible follow-ups>
- Re: Firewall-1 Session Agent, DOS and password thief gregory duchemin (Aug 08)