Full Disclosure mailing list archives

Re: A new TCP/IP blind data injection technique?

From: Michael Gale <michael () bluesuperman com>
Date: Mon, 15 Dec 2003 11:47:08 -0700

Hello,

        I misunderstood ... from my knowledge the BorderWare Firewall drops all
fragmented packets and there is NO option to change this.

You can change the MTU size on the interfaces which should allow you to
correct any problems.

I am not sure about Cisco Pix :(

I have never found a problem with any services running behind the
firewall or connecting to any services out side the firewall with the
settings to drop all fragmented packets.

Now according to your injection vulnerability even if a firewall
recreated all the packets before sending it to the end client the
vulnerability could still occur unless the firewall did some strong form
of application level filtering and then some how found out that one
piece of data did not belong.

So with all this said how is it unwise not to drop fragmented packets
and not necessary ?

Michael.


On Mon, 15 Dec 2003 19:17:54 +0100 (CET)
Michal Zalewski <lcamtuf () ghettot org> wrote:

On Mon, 15 Dec 2003, Michael Gale wrote:

Well first of all, one of the industry leading firewalls (
BorderWare Firewall Server ) does NOT pass fragmented packets.


What I was asking for, is whether you have any further information
about this? Or is it just the way you have it configured? I would be
surprised if this is a default for commercial production-grade
firewalls, as it may- quite simply - prevent some people from
communicating with you in some situations. Most commercial firewall
vendors go as far as disabling PMTUD just to avoid this.

I have a rule at the beginning: iptables -A INPUT -f -j DROP


Ok - this is a very specific configuration, then. On most sane
firewalls, it is not necessary to drop fragments (and, quite frankly,
not particularly wise, either) - the firewall will simply reassemble
all traffic before forwarding it any further (this is something you
suggested is going to be implemented for BorderWare, and a
functionality present for long years on systems like Linux)..

Cheers,
-- 
------------------------- bash$ :(){ :|:&};: --
 Michal Zalewski * [http://lcamtuf.coredump.cx]
    Did you know that clones never use mirrors?
--------------------------- 2003-12-15 19:05 --

   http://lcamtuf.coredump.cx/photo/current/



_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Current thread:

Re: A new TCP/IP blind data injection technique?, (continued)
- - Re: A new TCP/IP blind data injection technique? Valdis . Kletnieks (Dec 11)
    - Re: A new TCP/IP blind data injection technique? Mikael Abrahamsson (Dec 11)
- RE: A new TCP/IP blind data injection technique? David Gillett (Dec 11)
- Re: A new TCP/IP blind data injection technique? Michael Gale (Dec 13)
  - Re: A new TCP/IP blind data injection technique? Michal Zalewski (Dec 13)
  - Re: A new TCP/IP blind data injection technique? Valdis . Kletnieks (Dec 13)
    - Re: A new TCP/IP blind data injection technique? Michael Gale (Dec 13)
    - Re: A new TCP/IP blind data injection technique? Michal Zalewski (Dec 14)
    - Re: A new TCP/IP blind data injection technique? Michael Gale (Dec 15)
    - Re: A new TCP/IP blind data injection technique? Michal Zalewski (Dec 15)
    - Re: A new TCP/IP blind data injection technique? Michael Gale (Dec 15)
- Message not available
  - Breaking the checksum (a new TCP/IP blind data injection technique) Michal Zalewski (Dec 14)