Re: FireWall-1 FTP Server Vulnerability

[razor () LDC RO (Alexandru Popa)]

On Sat, 12 Feb 2000 Lars.Troen () MERKANTILDATA NO wrote:

> -----Original Message-----
> From: Check Point Support [mailto:cpsuppor () ts checkpoint com]
> Sent: 12. februar 2000 06:01
> To: fw-1-mailinglist () lists us checkpoint com
> Subject: [FW1] Check Point News Announcement
[snip]
> - For those using stateful inspection of passive FTP, the following
> patch
> has been supplied.
>
> Patch:
> The patch consists of a new $FWDIR/lib/base.def file that includes a fix
> to
> the problem (the file is compatible with Firewall-1 4.0 SP-5, other
> platforms will be released as soon as possible). The fix involves an
> enforcement on the existence of the newline character at the end of each
> packet on the FTP control connection, this will close off the described
> vulnerability.
[snip]

This would work fine, except that, provided someone could create a
directory named (C-syntax) "mtu-padding\r\n227 evil message\r\n" AND
change to that dir, a "PWD" would probably happily spit out the message,
in a very correct form.

Disclaimer: I am no FTP protocol expert, so the dir-making and
CWD-ing above might not work.  This might also not work if the server
quotes its output properly.

------------+------------------------------------------
Alex Popa,  |There never was a good war or a bad peace
razor () ldc ro|                   -- B. Franklin
------------+------------------------------------------
"It took the computing power of three C-64s to fly to the Moon.
It takes a 486 to run Windows 95. Something is wrong here."