WEB开发网
开发学院网络安全防火墙 PIX防火墙FTP漏洞允许非法通过防火墙 阅读

PIX防火墙FTP漏洞允许非法通过防火墙

 2008-12-18 12:19:09 来源:WEB开发网   
核心提示: Program Files D 0 Tue Mar 7 11:35:112000RECYCLER DHS 0 Mon Mar 13 09:35:512000TEMP DA 0 Tue Mar 7 14:36:312000WINNT D 0 Tue Mar 7 14:30:052000 64

Program Files D 0 Tue Mar 7 11:35:11

2000

RECYCLER DHS 0 Mon Mar 13 09:35:51

2000

TEMP DA 0 Tue Mar 7 14:36:31

2000

WINNT D 0 Tue Mar 7 14:30:05

2000

64706 blocks of size 65536. 43841 blocks available

smb: > quit

-snip--

我们能看到,在执行了攻击程序ftp-zone后,现在我们可以连到目标主机的

139/tcp端口了,

并且可以访问共享目录。

而如果PIX设置了'logging console debug'选项,我们只能看到一个到21端口的连

接:

302001: Built inbound TCP connection 202 for faddr 10.1.2.4/1139 gaddr

10.1.2.3/21 laddr 192.168.205.2/21

攻击者IP: 10.1.2.4

PIX IP: 10.1.2.3

内部IP: 192.168.205.2

PIX通过NAT将内部主机192.168.205.2的21端口映射到10.1.2.3的21端口上。

下面是通过tcpdump抓到的包,

在第11个包中,我们可以看到触发PIX不安全动作的字符串就是:

"227 (10,1,2,3,0,139)': command not understood."

PIX误以为,现在FTP server正在打开一个被动ftp的连接,目的端口在139,源端口

是任意的。

这证明,PIX在创建一个动态被动FTP连接前,只是检查是否在包的开头包含

"227 (xxx,xxx,xxx,xxx,prt,prt)"字符串。

Packet 1

Timestamp: 15:02:37.130283

Source Ethernet Address: 00:50:04:28:FE:EB

Destination Ethernet Address: 00:D0:B7:0E:18:AB

Encapsulated Protocol: IP

IP Header

Version: 4

Header Length: 20 bytes

Service Type: 0x00

Datagram Length: 60 bytes

Identification: 0x04CF

Flags: MF=off, DF=on

Fragment Offset: 0

TTL: 64

Encapsulated Protocol: TCP

Header Checksum: 0x1D4C

Source IP Address: 10.1.2.4

Destination IP Address: 10.1.2.3

TCP Header

Source Port: 1139 ()

Destination Port: 21 (ftp)

Sequence Number: 1818403974

Acknowledgement Number: 0000000000

Header Length: 40 bytes (data=0)

Flags: URG=off, ACK=off, PSH=off

RST=off, SYN=on, FIN=off

Window Advertisement: 128 bytes

Checksum: 0x78CB

Urgent Pointer: 0

TCP Data

-----------------------------------------------------------------

Packet 2

Timestamp: 15:02:37.130720

Source Ethernet Address: 00:D0:B7:0E:18:AB

Destination Ethernet Address: 00:50:04:28:FE:EB

Encapsulated Protocol: IP

IP Header

Version: 4

Header Length: 20 bytes

Service Type: 0x00

Datagram Length: 44 bytes

Identification: 0x4311

上一页  1 2 3 

Tags:PIX 防火墙 FTP

编辑录入:爽爽 [复制链接] [打 印]
赞助商链接