Search This Blog

Tuesday, January 12, 2010

firewall-wizards Digest, Vol 45, Issue 4

Send firewall-wizards mailing list submissions to
firewall-wizards@listserv.icsalabs.com

To subscribe or unsubscribe via the World Wide Web, visit
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
or, via email, send a message with subject or body 'help' to
firewall-wizards-request@listserv.icsalabs.com

You can reach the person managing the list at
firewall-wizards-owner@listserv.icsalabs.com

When replying, please edit your Subject line so it is more specific
than "Re: Contents of firewall-wizards digest..."


Today's Topics:

1. Re: Volunteers wanted for IPsec configuration experiment
(Paolo Supino)
2. Re: Volunteers wanted for IPsec configuration experiment
(Steven Bellovin)
3. Re: Hacker pierces hardware firewalls with web page.
(david@lang.hm)
4. Re: Use of single port aggregations to enhance security
(david@lang.hm)
5. Re: Hacker pierces hardware firewalls with web page.
(Farrukh Haroon)


----------------------------------------------------------------------

Message: 1
Date: Mon, 11 Jan 2010 22:31:35 +0200
From: Paolo Supino <paolo@supino.org>
Subject: Re: [fw-wiz] Volunteers wanted for IPsec configuration
experiment
To: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.icsalabs.com>
Message-ID: <4B4B8AA7.1000803@supino.org>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed

Hi

Is the offer open for international volunteers?

--
ttyl
Paolo

On 1/10/10 10:19 PM, Steven Bellovin wrote:
> We've devised a new IPsec configuration mechanism, and we're performing a controlled experiment comparing it to today's mechanisms. Accordingly, we're looking for volunteers to participate in our study. (It's been submitted to and approved by the university's Institutional Review Board (IRB).)
>
> So -- we're looking for volunteers who are generally familiar with how IPsec works, but haven't actually configured it anywhere. (The former does, I think, describe most subscribers to this list...) The study will take place during the second half of January; we expect it to take 2-3 hours. There will be modest compensation to participants.
>
> I'm being deliberately vague on details of our scheme, for fear of biasing the results. We will make details available as soon as possible, and we plan to release our code under an open source license.
>
> If you're interested, please contact me.
>
> --Steve Bellovin, http://www.cs.columbia.edu/~smb
>
>
>
>
>
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards@listserv.icsalabs.com
> https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards


------------------------------

Message: 2
Date: Mon, 11 Jan 2010 18:35:25 -0500
From: Steven Bellovin <smb@cs.columbia.edu>
Subject: Re: [fw-wiz] Volunteers wanted for IPsec configuration
experiment
To: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.cybertrust.com>
Message-ID: <4C66BC51-3DDC-4D3B-B569-539126DC3A43@cs.columbia.edu>
Content-Type: text/plain; charset=us-ascii


On Jan 11, 2010, at 3:31 PM, Paolo Supino wrote:

> Hi
>
> Is the offer open for international volunteers?
>

Yes, definitely.


--Steve Bellovin, http://www.cs.columbia.edu/~smb

------------------------------

Message: 3
Date: Mon, 11 Jan 2010 18:51:04 -0800 (PST)
From: david@lang.hm
Subject: Re: [fw-wiz] Hacker pierces hardware firewalls with web page.
To: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.cybertrust.com>
Message-ID: <alpine.DEB.2.00.1001111828550.24130@asgard.lang.hm>
Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed

I've seen several other posts where people make use of browser exploits to
trick the browser into submitting a form to the router/firewall, and if
the router has the default password, the attacker can then configure the
firewall any way they want.

This sounds a little different. This sounds like it is exploiting standard
protocols.

With FTP the client connect to the server, then at the start of a file
transfer the client tells the server what port to connect to on the
client. A 'helpful' firewall will watch for this message and reconfigure
itself to allow traffic to that port. IIRC for FTP this data connection is
one-way (with acks flowing the other way), but with SIP the port is used
for data in both directions.

This sounds like the attacker is managing to use javascript to make a
connection out that the firewall thinks is a protocol like this, and then
by specifying the port they want to attack, tricking the firewall into
opening that port up so that it can be attacked from the server the
javascript connected to.

David Lang

On Fri, 8 Jan 2010, R. DuFresne wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
>
>
> In reading this, I get the impression this is not a fault in the firewalls
> themselves, but more an issue with the configuration of firewalls having been
> 'tested' by this hacker. Am I wrong in reading this news in that fashion?::
>
>
> January 6, The Register - (International) Hacker pierces hardware firewalls
> with web page. On January 5, a hacker demonstrated a way to identify a
> browser's geographical location by exploiting weaknesses in many WiFi
> routers. Now, the same hacker is back with a simple method to penetrate
> hardware firewalls using little more than some javascript embedded in a
> webpage. By luring victims to a malicious link, the attacker can access
> virtually any service on their machine, even when it's behind certain routers
> that automatically block it to the outside world. The method has been tested
> on a Belkin N1 Vision Wireless router, and the hacker says he
> suspects other devices are also vulnerable. "What this means is I can
> penetrate their firewall/router and connect to the port that I specified,
> even though the firewall should never forward that port," the hacker told the
> Register. "This defeats that security by visiting a simple web page. No
> authentication, XSS, user input, etc. is required." The hacker's
> proof-ofconcept page forces the visitor to submit a hidden form on port 6667,
> the standard port for internet relay chat. Using a hidden value, the form
> surreptitiously coerces the victim to establish a DCC, or direct
> client-to-client, connection. Vulnerable routers will then automatically
> forward DCC traffic to the victim's internal system, and using what's known
> as NAT traversal an attacker can access any port that's open on the local
> system. For the hack to work, the visitor must have an application such as
> file transfer protocol or session initiation protocol running on his machine.
> The hack does not guarantee an attacker will be able to compromise that
> service, but it does give the attacker the ability to probe it in the hope
> of finding a weak password or a vulnerability that will expose data or system
> resources. Source:
> http://www.theregister.co.uk/2010/01/06/web_based_firewall_attack/
>
>
>
>
> Thanks,
>
>
> Ron DuFresne
> - -- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> admin & senior security consultant: sysinfo.com
> http://sysinfo.com
> Key fingerprint = 9401 4B13 B918 164C 647A E838 B2DF AFCC 94B0 6629
>
> These things happened. They were glorious and they changed the world...,
> and then we fucked up the endgame. --Charlie Wilson
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.5 (GNU/Linux)
>
> iD8DBQFLR3qist+vzJSwZikRAotcAJ9fHEWAOm2N5xFKww7/wA9O+YYdeACfZUEZ
> uZciRDQsRu1kZZQUZctPwmY=
> =KCsu
> -----END PGP SIGNATURE-----
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards@listserv.icsalabs.com
> https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
>


------------------------------

Message: 4
Date: Mon, 11 Jan 2010 21:14:47 -0800 (PST)
From: david@lang.hm
Subject: Re: [fw-wiz] Use of single port aggregations to enhance
security
To: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.cybertrust.com>
Message-ID: <alpine.DEB.2.00.1001112113320.3341@asgard.lang.hm>
Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed

On Sat, 9 Jan 2010, ArkanoiD wrote:

> I thought *every* operating system follows the rule "apply
> packet filtering first, bring interfaces up later" nowdays?

They all can, but not all do by default. Worst case doing this takes
inserting your rules in a custom init script that fires prior to the
network startup.

David Lang

> On Wed, Jan 06, 2010 at 06:12:46AM +1100, Darren Reed wrote:
>> So what difference can this make?
>>
>> If you're using an operating system based firewall (Linux,
>> BSD, Solaris), then depending on the order of the operating
>> system enabling firewalls capabilities vs networking, there
>> may be windows where packets are able to reach code paths
>> that they weren't intended for because nic drivers start
>> servicing packets quite early.
>
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards@listserv.icsalabs.com
> https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
>


------------------------------

Message: 5
Date: Tue, 12 Jan 2010 10:56:16 +0300
From: Farrukh Haroon <farrukhharoon@gmail.com>
Subject: Re: [fw-wiz] Hacker pierces hardware firewalls with web page.
To: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.icsalabs.com>
Cc: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.cybertrust.com>
Message-ID:
<eff3217d1001112356w7b0a1759we7c27eaf287e5b04@mail.gmail.com>
Content-Type: text/plain; charset="iso-8859-1"

Perhaps they are exploiting UPnP in some obscure way to achieve this?

Regards

Farrukh

On Tue, Jan 12, 2010 at 5:51 AM, <david@lang.hm> wrote:

> I've seen several other posts where people make use of browser exploits to
> trick the browser into submitting a form to the router/firewall, and if the
> router has the default password, the attacker can then configure the
> firewall any way they want.
>
> This sounds a little different. This sounds like it is exploiting standard
> protocols.
>
> With FTP the client connect to the server, then at the start of a file
> transfer the client tells the server what port to connect to on the client.
> A 'helpful' firewall will watch for this message and reconfigure itself to
> allow traffic to that port. IIRC for FTP this data connection is one-way
> (with acks flowing the other way), but with SIP the port is used for data in
> both directions.
>
> This sounds like the attacker is managing to use javascript to make a
> connection out that the firewall thinks is a protocol like this, and then by
> specifying the port they want to attack, tricking the firewall into opening
> that port up so that it can be attacked from the server the javascript
> connected to.
>
> David Lang
>
>
>
>
> On Fri, 8 Jan 2010, R. DuFresne wrote:
>
> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>>
>>
>> In reading this, I get the impression this is not a fault in the firewalls
>> themselves, but more an issue with the configuration of firewalls having
>> been 'tested' by this hacker. Am I wrong in reading this news in that
>> fashion?::
>>
>>
>> January 6, The Register - (International) Hacker pierces hardware
>> firewalls with web page. On January 5, a hacker demonstrated a way to
>> identify a browser's geographical location by exploiting weaknesses in many
>> WiFi
>> routers. Now, the same hacker is back with a simple method to penetrate
>> hardware firewalls using little more than some javascript embedded in a
>> webpage. By luring victims to a malicious link, the attacker can access
>> virtually any service on their machine, even when it's behind certain
>> routers that automatically block it to the outside world. The method has
>> been tested on a Belkin N1 Vision Wireless router, and the hacker says he
>> suspects other devices are also vulnerable. "What this means is I can
>> penetrate their firewall/router and connect to the port that I specified,
>> even though the firewall should never forward that port," the hacker told
>> the Register. "This defeats that security by visiting a simple web page. No
>> authentication, XSS, user input, etc. is required." The hacker's
>> proof-ofconcept page forces the visitor to submit a hidden form on port
>> 6667, the standard port for internet relay chat. Using a hidden value, the
>> form surreptitiously coerces the victim to establish a DCC, or direct
>> client-to-client, connection. Vulnerable routers will then automatically
>> forward DCC traffic to the victim's internal system, and using what's known
>> as NAT traversal an attacker can access any port that's open on the local
>> system. For the hack to work, the visitor must have an application such as
>> file transfer protocol or session initiation protocol running on his
>> machine. The hack does not guarantee an attacker will be able to compromise
>> that service, but it does give the attacker the ability to probe it in the
>> hope of finding a weak password or a vulnerability that will expose data or
>> system resources. Source:
>> http://www.theregister.co.uk/2010/01/06/web_based_firewall_attack/
>>
>>
>>
>>
>> Thanks,
>>
>>
>> Ron DuFresne
>> - -- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>> admin & senior security consultant: sysinfo.com
>> http://sysinfo.com
>> Key fingerprint = 9401 4B13 B918 164C 647A E838 B2DF AFCC 94B0 6629
>>
>> These things happened. They were glorious and they changed the world...,
>> and then we fucked up the endgame. --Charlie Wilson
>> -----BEGIN PGP SIGNATURE-----
>> Version: GnuPG v1.4.5 (GNU/Linux)
>>
>> iD8DBQFLR3qist+vzJSwZikRAotcAJ9fHEWAOm2N5xFKww7/wA9O+YYdeACfZUEZ
>> uZciRDQsRu1kZZQUZctPwmY=
>> =KCsu
>> -----END PGP SIGNATURE-----
>> _______________________________________________
>> firewall-wizards mailing list
>> firewall-wizards@listserv.icsalabs.com
>> https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
>>
>> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards@listserv.icsalabs.com
> https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://listserv.icsalabs.com/pipermail/firewall-wizards/attachments/20100112/7f924185/attachment-0001.html>

------------------------------

_______________________________________________
firewall-wizards mailing list
firewall-wizards@listserv.icsalabs.com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards


End of firewall-wizards Digest, Vol 45, Issue 4
***********************************************

No comments: