Checkpoint FW-1 and "ftp missing newline char" attack

Programming and Web Development Forums - firewall - Anything pertaining to network firewall security

Skip to content

Checkpoint FW-1 and "ftp missing newline char" attack

firewall
Post a reply

    Next

  • 1. 2 firewalls 1 Internet connection
    I would like to do the following, and want to know if anyone out there can identify any potential pitfalls of this configuration. (for the record, I think this wil NOT work). I want to use 2 different hardware firewalls over the same Internet connection. Specifically, I want to run a PIX 506 (that has a VPN tunnel with our Mexico operation) and I want to run a Watchguard Firebox X50 (that runs a tunnel with our China operation) over our new Sprint 3 meg connection. Currently, each firewall lives on it's own separate connection. Potential issues I see involve redirected services, like inbound Terminal Services access, and SMTP. for example, if our router is 175.175.175.1, and the PIX is .2, and the Firebox is .3, will both firewalls try to answer if our internal Exchange server is .4? Thanks, Brian
  • 2. Kerio Personal Firewall 4 and NIPS
    I see in the NIPS (Network Intrusion Detection and Prevention System) logs that my ISP (151.6.142.220) is blocked as an attack source, with this description: BAD-TRAFFIC IP Proto 103 (PIM) with priority "medium". I don't know what it means and I'm wondering if I should allow it (allowing all the intrusions of "medium" class), because recently I have many disconnections from my dial-up, it seems I can't keep the connection alive for more than a few minutes. I hope in your help, thanks! -- Maria Luisa C - 25/08/2005 11.26.14 Never judge a book by its movie. -
  • 3. Why you have hardware firewalls
    On Tue, 05 Apr 2005 12:59:07 +0200, Wolfgang Kueter wrote: > Leythos wrote: > > >> If you have a firewall and not just a router, you can actually start >> blocking IP Ranges of countries that you don't need to allow inbound to >> your network [...] > > That can usually be done with many models of routers from various vendors. Yes, but the vast majority of inexpensive home user routers can only block a few IP, some can block IP Ranges, and some can't block anything from a list. >> Being from the USA, and not providing services to many foreign countries > [...] > > What services do you provide for these foreign countries, bombing? Mostly liberation and freedom from oppression from corrupt, genocidal, terrorist supporting, dictators :-) -- XXXX@XXXXX.COM remove 999 in order to email me

Checkpoint FW-1 and "ftp missing newline char" attack

Postby lgdolan » Fri, 01 Oct 2004 02:06:59 GMT 

Howdy.

I'm trying to log in to a customer's ftp server from an AIX 5.3 box
behind FW-1. This is eventually going to be a cron job, but right now
I'm trying it manually for testing purposes.

I *have* to use passive mode.

Logging in defaults to active. No problem cding, lsing, getting, etc.
Then I issue the passive command, after which any attempt to use the
data port completely hangs the session.

Checking SmartView Tracker says that the firewall rejected the data
request due to an 'ftp missing newline char' attack, and subsequent
packets get dropped because they're out of state.

The admin at the customer site swears up and down that he's got
passive mode enabled and the high ports open to me on his end. I've
tried logging in to both his AS/400 and his MS box with the same
results.

Anybody have any ideas?

Thanks.

I should probably add that ncftp, which apparently defaults to passive
mode for data transfer, hangs in the same way as the normal client.
Top

Re: Checkpoint FW-1 and "ftp missing newline char" attack

Postby Rob Hughes » Fri, 01 Oct 2004 08:18:43 GMT 

Liam Dolan is alleged to have said in comp.security.firewalls:
 

Run cpstop.

Look for this section:

//    Use this if you do not want the FW-1 module to insist on a newline at
the
// end of the PORT command:
// #define FTPPORT(match)       (call KFUNC_FTPPORT <(match)>)

#define FTP_ENFORCE_NL


Change it to this:

//    Use this if you do not want the FW-1 module to insist on a newline at
the
// end of the PORT command:
#define FTPPORT(match)       (call KFUNC_FTPPORT <(match)>)

//#define FTP_ENFORCE_NL

Run cpstart.

Install the policy.

Enjoy.

-- 
If at first you don't succeed, skydiving is not for you.
Top

Re: Checkpoint FW-1 and "ftp missing newline char" attack

Postby PAUL SUKHU » Thu, 07 Oct 2004 06:29:01 GMT 

Keep in mind this fix gets wiped out when you upgrade the firewall.






at
at
Top

Re: Checkpoint FW-1 and "ftp missing newline char" attack

Postby lgdolan » Thu, 07 Oct 2004 21:37:08 GMT 

> Keep in mind this fix gets wiped out when you upgrade the firewall.

When I install a new policy, or when I actually upgrade the server?

In any case, the fix seems to work on my external fw. Now I've gotta
schedule the downtime for the internal one to see if it takes care of
it there, too.

Thanks, folks.
Top

Re: Checkpoint FW-1 and "ftp missing newline char" attack

Postby kundy00 » Thu, 07 Dec 2006 03:09:18 GMT 

so what is the script that we are suppose to use?  I'm not seeing it
Top

Re: Checkpoint FW-1 and "ftp missing newline char" attack

Postby larstr » Sat, 09 Dec 2006 08:34:12 GMT 



: so what is the script that we are suppose to use?  I'm not seeing it.


What version is this? I believe this check was somewhat buggy, atleast
it seemed that you wouldn't get a very reliable ftp service with this
option enabled.

The background for this option can be found in this bugtraq posting:
 http://www.**--****.com/ 

Lars
Top
Post a reply

Return to firewall

 

Who is online

Users browsing this forum: No registered users and 65 guest

Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group