lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Wed, 5 Mar 2003 16:43:37 -0500
From: "David G. Andersen" <dga@....mit.edu>
To: bit_logic@...ail.com
Subject: Re: 3Com SuperStack 3 Firewall Content Filter Exploitable Via Telnet


On Tue, Mar 04, 2003 at 11:39:17PM -0000, bit_logic@...ail.com quacked:
> 
> The weakness exploited by this vulnerability is that the 3COM filter 
> apparently does not reassemble fragmented packets before checking a 
> [...]

> Taking this trivial exploit a step further, an experienced hacker could 
> easily write a script or application to automate this entire process, 
> parsing the source for images and other embedded content where necessary.  
> This would result in a local copy of the requested site right on the 
> user's hard disk.  In theory, one would only need to break apart key areas 
> of the HTTP request packet in order to fool the filter, rather than 
> sending every character individually.
> 
> Unfortunately, I do not have the necessary equipment at my disposal to 
> further test the exploit, although I know for a fact that it works, at 

a)  Test with a program called 'fragrouter'.  What you're describing
are TCP fragments, but it's likely the box doesn't reassemble IP
fragments either.

   http://www.securityfocus.com/tools/176

b)  "experienced hacker"?  more like "slightly clueful kiddie":

   route add default <foo> -mtu 50

   Or if you want to be a bit more fancy, just write a proxy
   in perl that does a character-by-character write() of the
   outbound request.  Trivial.

> least on firewalls with basic filter configurations.  I also have yet to 
> come up with a successful work-around for this bypass, as it occurs at a 
> very low level.  If anyone has any ideas, I'm all ears.  Thanks.

  a)  use real filtering software (a transparent proxy)
  b)  don't bother, you can't win against the smart insiders
      who want out.

  -dave

-- 
work: dga@....mit.edu                          me:  dga@...ox.com
      MIT Laboratory for Computer Science           http://www.angio.net/
      I do not accept unsolicited commercial email.  Do not spam me.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ