Firewall-1 session agent 3.0 -> 4.1, dictionnary and brute force attack

[gregory duchemin <c3rb3r () HOTMAIL COM>]

hi,

every session agents from 3.0 to 4.1 (4.1 included, all plateforms ) are
vulnerables to a brute force and dictionnary style password attack.
while authenticating a user through his port 261, firewall modules send a
"331 User:" string to the agent, wait for an answer, and then reply with a
"220 User .... not found" directly followed by "530 NOTOK" if username
doesn't match the user database
If username exists, firewall will simply reply "331 *FireWall-1 password:"
before waiting for a pass value.
So the same weakness that on the old version of unix's login, we can know if
a username is or isn't

try #nc -l -p 261 on your workstation
then connect to an outside service that need session authentication

Because firewall-1 doesn't close the connection just after a mistaked
username or password submission and seems to wait indefinitly for a correct
entry, it should be really efficient to mount such an attack.
usernames and passwords are up to 8 chars length and are usually built on
some logical rules (typicaly based on first and last names for usernames and
more generaly on dictionnaries words)

A C or perl program with dictionnary trying permutations onto each word
should be able to quickly recover many corporate accounts.
This program would be a little daemon, and would have to send a spoofed
request to outside before each connection, finally it should be able to
accept a significant number of simultaneous connection to increase its
chances of success.
I don't have right now the time to make the code.

Just verify your passwords are enough hard in the same way u already did it
with your unix passwords.
And for those who have a 4.1 firewall module, just use encryption.

Have a nice day

Gregory Duchemin

________________________________________________________________________
Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com