VULHUB ™

A vulnerability exists in the handling of certain rules on many firewalls, that may allow users outside of the firewall to gain limited access to areas behind firewalls. Whereas previous descriptions of attacks of this style were server based, it is also possible to use client based programs to exploit these problems. By sending, for instance, an email which contains a tag such as the following: <img src="ftp://ftp.rooted.com/aaaa[lots of A]aaaPORT 1,2,3,4,0,139"> By balancing the number of A's so the PORT command begins on a new boundry, the firewall will incorrectly parse the resulting RETR /aaaaaaaa[....]aaaaaPORT 1,2,3,4,0,139 as first a RETR and then PORT command, and open port 139 to the origin address. This would allow the server site to connect to port 139 on the client. Any port could be used in place of 139, unless the firewall blocks "known server ports." Versions of Firewall-1 4.1 and prior are believed vulnerable. Versions of Cisco PIX, up to and including current...

A vulnerability exists in the handling of certain rules on many firewalls, that may allow users outside of the firewall to gain limited access to areas behind firewalls. Whereas previous descriptions of attacks of this style were server based, it is also possible to use client based programs to exploit these problems. By sending, for instance, an email which contains a tag such as the following: <img src="ftp://ftp.rooted.com/aaaa[lots of A]aaaPORT 1,2,3,4,0,139"> By balancing the number of A's so the PORT command begins on a new boundry, the firewall will incorrectly parse the resulting RETR /aaaaaaaa[....]aaaaaPORT 1,2,3,4,0,139 as first a RETR and then PORT command, and open port 139 to the origin address. This would allow the server site to connect to port 139 on the client. Any port could be used in place of 139, unless the firewall blocks "known server ports." Versions of Firewall-1 4.1 and prior are believed vulnerable. Versions of Cisco PIX, up to and including current 5.0(1) are believed vulnerable.