SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Firewall)  >   IP Filter Vendors:   Reed, Darren
IP Filter Linux Firewall Software FTP Proxy Bug Lets Remote Users Bypass the Rule Set
SecurityTracker Alert ID:  1005442
SecurityTracker URL:  http://securitytracker.com/id/1005442
CVE Reference:   CVE-2002-1978   (Links to External Site)
Updated:  Jun 3 2008
Original Entry Date:  Oct 17 2002
Impact:   Host/resource access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): prior to 3.4.29
Description:   A vulnerability was reported in the IP Filter kernel modifications for Linux in the FTP proxy function. A remote user may be able to bypass the firewall rule set.

It is reported that firewalls that support the FTP protocol without fully reassembling packets in the FTP command channel may allow remote users to bypass the firewall rule sets.

A remote user can invoke partial segment acknowledgements to cause the target FTP server to resend user-supplied control strings, causing the firewall to erroneously parse the control strings as a legitimate command and open up a hole in the firewall from the remote user to the target server. The opened connection can apparently be used for any protocol.

The success of such an exploit depends on the targeted FTP server (behind the IP Filter firewall) and the manner in which the FTP server responds. The following FTP servers are known to be safe, according to the report:

+ ftpd in Sun Solaris/SunOS
+ ftpd in FreeBSD (upto and including 4.5)
+ ftpd in OpenBSD (upto and including 3.1)
+ wsftpd

The following FTP server software is reportedly known to support this attack:

+ proftpd
+ warftpd
+ serv-u
+ pureftpd
+ publicfile
+ ftpd in NetBSD (upto and including 1.6)

Impact:   A remote user may be able to cause the firewall to open connections that are otherwise not permitted by the firewall rule set.
Solution:   The vendor has issued a fixed version (3.4.29) and recommends that you upgrade if you are using the proxy function to provide FTP server access:

ftp://coombs.anu.edu.au/pub/net/ip-filter/ip-fil3.4.29.tar.gz
http://coombs.anu.edu.au/~avalon/ip-fil3.4.29.tar.gz
http://coombs.anu.edu.au/ipfilter/ip-filter.html#Mirrors

Vendor URL:  coombs.anu.edu.au/ipfilter/ip-filter.html (Links to External Site)
Cause:   Access control error, Input validation error, State error
Underlying OS:  Linux (Any)

Message History:   This archive entry has one or more follow-up message(s) listed below.
(NetBSD Issues Fix) IP Filter Linux Firewall Software FTP Proxy Bug Lets Remote Users Bypass the Rule Set
NetBSD has released a fix.



 Source Message Contents

Subject:  IPFilter FTP Bug


-----BEGIN PGP SIGNED MESSAGE-----

Hash: SHA1

IPFilter FTP update.
====================

Synopsis: In kernel FTP proxy allows access to other ports on FTP server.

Versions affected: All prior to 3.4.29

Affected use: proxying to ftp servers.

Recommended Action: Upgrade to 3.4.29 if running a version prior and
                   using proxy function to provide FTP server access.
Details.
- --------
It is possible to fool the ftp proxy in earlier versions of IPFilter
into thinking that retransmitted text from the ftp server (or client)
is a new response and should be processed as such.

For people using the inbuilt proxy in the kernel to provide access to
ftp servers, this can be used to open up access to any port on the ftp
server.  For this to be a problem, your ftp server must respond in a
manner that essentially echoes, verbatim, text sent to it on the end
of a line.  See below for a list of known good/bad FTP daemons.  If
yours isn't known to be good or bad then you are best assuming that
it is bad.

Monitoring.
- -----------
If you cannot upgrade immediately, or would otherwise like to make sure
you can "keep tabs" on this problem, despite the state/nat table entries
not being created by a rule, they can still be logged.  If you are using
ipmon to record all log transactions (-a), its output will include NAT &
state table entries created to enable the rogue connection through.  If
you are not collecting log information on NAT or state transactions, you
can enable this by adding "-a" to ipmon's command line options at startup
or optionally, record this information to a separate file (with a
recommended separate .pid file) like this:

ipmon -P /var/run/ipmon-extra.pid -o NS /var/log/ipfnatstate

Workarounds.
- ------------
If you cannot upgrade IPFilter, you are advised to examine how your FTP
server software behaves.  Known safe FTP server software, in this regard
are:

+ ftpd in Sun Solaris/SunOS
+ ftpd in FreeBSD (upto and including 4.5)
+ ftpd in OpenBSD (upto and including 3.1)
+ wsftpd

FTP server software that is known to support this attack:

+ proftpd
+ warftpd
+ serv-u
+ pureftpd
+ publicfile
+ ftpd in NetBSD (upto and including 1.6)

Another safe work around is to use a user space ftp proxy, such as that
provided with the Firewall Toolkit.  Discussion on how to do this is
beyond the scope of this document.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (SunOS)

iD8DBQE9qaNYP7JIXtvLbFURAuB2AKCKJ0gWwEX3SnYMq/ZlEt8JcRABhACeJkvp
XRz08wWGODquWd6u3dJv7Zk=
=UuHZ
-----END PGP SIGNATURE-----



 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC