lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
From: michael at bluesuperman.com (Michael Gale) Subject: A new TCP/IP blind data injection technique? Hello, I misunderstood ... from my knowledge the BorderWare Firewall drops all fragmented packets and there is NO option to change this. You can change the MTU size on the interfaces which should allow you to correct any problems. I am not sure about Cisco Pix :( I have never found a problem with any services running behind the firewall or connecting to any services out side the firewall with the settings to drop all fragmented packets. Now according to your injection vulnerability even if a firewall recreated all the packets before sending it to the end client the vulnerability could still occur unless the firewall did some strong form of application level filtering and then some how found out that one piece of data did not belong. So with all this said how is it unwise not to drop fragmented packets and not necessary ? Michael. On Mon, 15 Dec 2003 19:17:54 +0100 (CET) Michal Zalewski <lcamtuf@...ttot.org> wrote: > On Mon, 15 Dec 2003, Michael Gale wrote: > > > Well first of all, one of the industry leading firewalls ( > > BorderWare Firewall Server ) does NOT pass fragmented packets. > > What I was asking for, is whether you have any further information > about this? Or is it just the way you have it configured? I would be > surprised if this is a default for commercial production-grade > firewalls, as it may- quite simply - prevent some people from > communicating with you in some situations. Most commercial firewall > vendors go as far as disabling PMTUD just to avoid this. > > > I have a rule at the beginning: iptables -A INPUT -f -j DROP > > Ok - this is a very specific configuration, then. On most sane > firewalls, it is not necessary to drop fragments (and, quite frankly, > not particularly wise, either) - the firewall will simply reassemble > all traffic before forwarding it any further (this is something you > suggested is going to be implemented for BorderWare, and a > functionality present for long years on systems like Linux).. > > Cheers, > -- > ------------------------- bash$ :(){ :|:&};: -- > Michal Zalewski * [http://lcamtuf.coredump.cx] > Did you know that clones never use mirrors? > --------------------------- 2003-12-15 19:05 -- > > http://lcamtuf.coredump.cx/photo/current/
Powered by blists - more mailing lists