Re: Variations of firewall ruleset bypass via FTP

[Darren Reed <darrenr () reed wattle id au>]

I know you want this to die, but I've posed some more questions for you
to think about :)

In some email I received from Paul D. Robertson, sie wrote:
[...]
> In my mind, saying "Not vulnerable" and just relating that to the POC code 
> is bad because it makes people think they're safe when they may not be, so 
> if this is indeed the case, I think we'd all appreciate a more verbose 
> clarification.

So what do you do ?
The last N versions since 1 Jan 2000 ?
Just test your current/latest version ?
Poll your userbase and check every version that's in use everywhere ?

As it happens, IPFilter was fixed before I got any information about
this at all from CERT.  But that is of no help to anyone not running
the latest version.  Then again, you need to be running a certain
make & model of ftpd before it's a problem as well.

> > Unfortunately the people behind security-officer for NetBSD have been 
> > next to useless in this case and if you asked me, their largesse in
> > this case would be a good excuse to give them all the ass (it's not
> > a fun job, either.)  FreeBSD has not been much better.
>
> Frankly, that's *why* we're looking to you.  You're the #1 IPF authority- 
> no matter what version *they* ship.   If you need someone to generate 
> pages of rants pointed at them, I'm obviously qualified ;)

Like I keep trying to say, if I don't get the right information then
there's not much I can do or say to provide the right help to people.
For whatever it's worth, I depend on them to provide me with information
that gets passed to them from CERT.  What I guess I'm saying here is
that because I had no direct contact with anyone useful in this, looking
to me, now, is pointless.  I kind of get the impression that IPfilter
may have been the only popular product that did have an issue and yet
you'd be forgiven for thinking it was a complete afterthought the way
some people acted.  If there had of been some sort of direct communication
between me and CERT/ICSA/Mikael before this week then maybe things would
have worked out better.  CERT at least appears to have learnt a thing or
two from this.

[...]
> "I understand the class of attack, and I know IPF isn't vulnerable, 
> because I've looked at what I'm doing and compared it to the partial ACK 
> issue."
>
> "I understand the class of attack, and I know that I've fixed this in the 
> current version of IPF, older versions are probably vulnerable, but I'm 
> not saying that explicitly."
>
> "I ran the proof-of-concept code and it didn't work, so I'm going to say 
> IPF isn't vulnerable until someone proves otherwise."

All of these.
It was hard enough to even compile the damn PoC code.  Plus:

"It looked like the proof-of-concept code required a special agent on the
 inside and if that's the case then I cannot protect against that."

All in all, I think I'd rather try and make some sort of celestial
alignment try and happen than have to go through all that again.
> From start to end, it's been one big f*cked experience.

Darren
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards