lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
From: michael at bluesuperman.com (Michael Gale)
Subject: A new TCP/IP blind data injection technique?

Hello,

	I misunderstood ... from my knowledge the BorderWare Firewall drops all
fragmented packets and there is NO option to change this.

You can change the MTU size on the interfaces which should allow you to
correct any problems.

I am not sure about Cisco Pix :(

I have never found a problem with any services running behind the
firewall or connecting to any services out side the firewall with the
settings to drop all fragmented packets.

Now according to your injection vulnerability even if a firewall
recreated all the packets before sending it to the end client the
vulnerability could still occur unless the firewall did some strong form
of application level filtering and then some how found out that one
piece of data did not belong.

So with all this said how is it unwise not to drop fragmented packets
and not necessary ?

Michael.


On Mon, 15 Dec 2003 19:17:54 +0100 (CET)
Michal Zalewski <lcamtuf@...ttot.org> wrote:

> On Mon, 15 Dec 2003, Michael Gale wrote:
> 
> > Well first of all, one of the industry leading firewalls (
> > BorderWare Firewall Server ) does NOT pass fragmented packets.
> 
> What I was asking for, is whether you have any further information
> about this? Or is it just the way you have it configured? I would be
> surprised if this is a default for commercial production-grade
> firewalls, as it may- quite simply - prevent some people from
> communicating with you in some situations. Most commercial firewall
> vendors go as far as disabling PMTUD just to avoid this.
> 
> > I have a rule at the beginning: iptables -A INPUT -f -j DROP
> 
> Ok - this is a very specific configuration, then. On most sane
> firewalls, it is not necessary to drop fragments (and, quite frankly,
> not particularly wise, either) - the firewall will simply reassemble
> all traffic before forwarding it any further (this is something you
> suggested is going to be implemented for BorderWare, and a
> functionality present for long years on systems like Linux)..
> 
> Cheers,
> -- 
> ------------------------- bash$ :(){ :|:&};: --
>  Michal Zalewski * [http://lcamtuf.coredump.cx]
>     Did you know that clones never use mirrors?
> --------------------------- 2003-12-15 19:05 --
> 
>    http://lcamtuf.coredump.cx/photo/current/



Powered by blists - more mailing lists