PDA

Bekijk Volledige Versie : Filtering devices spotting



Ed3f
01/01/03, 21:49
************************ SECURITY ALERT ************************


Systems Affected

100% of packet filtering systems included commercial
embedded devices
(no unaffected system known at the moment)


Risk

low


Overview

Multiple vendors' implementations of a packet filtering
engine doesn't check the level 4 checksum.
This could be used by an attacker to perform an active
analysis of a firewall ruleset and use OS fingerprinting
tools with firewall response packets.


Description

It's possible to spot a firewall by sending a single packet
with a level 4 broken checksum if they are configured to
reply. This problem is present even if a transparent bridge
is used.

Example:
sending a TCP SYN you'll receive a RST-ACK.

The complete study is available at:
http://www.phrack.org/phrack/60/p60-0x0c.txt


Solution

Disable reply.
Apply the patch when available.



************************* Ed3f ********************0x000002*

Darren Reed
02/01/03, 20:12
In some mail from Ed3f, sie said:
>
>
> ************************ SECURITY ALERT ************************
>
>
> Systems Affected
>
> 100% of packet filtering systems included commercial
> embedded devices
> (no unaffected system known at the moment)

Well, not quite 100%...

You have been able to filter on bad TCP checksums in IPFilter for
some time - see this email message from me to the ipfilter list some
4 months ago:

http://false.net/ipfilter/2002_08/0250.html

I'm trying to get other things done and fixed before saying "4.0 is
no longer alpha".

Darren