Checkpoint FW-1 and "ftp missing newline char" attack

Howdy.

I'm trying to log in to a customer's ftp server from an AIX 5.3 box
behind FW-1. This is eventually going to be a cron job, but right now
I'm trying it manually for testing purposes.

I *have* to use passive mode.

Logging in defaults to active. No problem cding, lsing, getting, etc.
Then I issue the passive command, after which any attempt to use the
data port completely hangs the session.

Checking SmartView Tracker says that the firewall rejected the data
request due to an 'ftp missing newline char' attack, and subsequent
packets get dropped because they're out of state.

The admin at the customer site swears up and down that he's got
passive mode enabled and the high ports open to me on his end. I've
tried logging in to both his AS/400 and his MS box with the same
results.

Anybody have any ideas?

Thanks.

I should probably add that ncftp, which apparently defaults to passive
mode for data transfer, hangs in the same way as the normal client.

Re: Checkpoint FW-1 and "ftp missing newline char" attack

Liam Dolan is alleged to have said in comp.security.firewalls:

> Checking SmartView Tracker says that the firewall rejected the data
> request due to an 'ftp missing newline char' attack, and subsequent
> packets get dropped because they're out of state.
>

Run cpstop.

Look for this section:

// Use this if you do not want the FW-1 module to insist on a newline at
the
// end of the PORT command:
// #define FTPPORT(match) (call KFUNC_FTPPORT <(match)>)

#define FTP_ENFORCE_NL


Change it to this:

// Use this if you do not want the FW-1 module to insist on a newline at
the
// end of the PORT command:
#define FTPPORT(match) (call KFUNC_FTPPORT <(match)>)

//#define FTP_ENFORCE_NL

Run cpstart.

Install the policy.

Enjoy.

--
If at first you don't succeed, skydiving is not for you.

Re: Checkpoint FW-1 and "ftp missing newline char" attack

Keep in mind this fix gets wiped out when you upgrade the firewall.


"Rob Hughes" wrote in message
news:9t6dnU7fmdhJ38bcRVn-qg@comcast.com...
> Liam Dolan is alleged to have said in comp.security.firewalls:
>
> > Checking SmartView Tracker says that the firewall rejected the data
> > request due to an 'ftp missing newline char' attack, and subsequent
> > packets get dropped because they're out of state.
> >
>
> Run cpstop.
>
> Look for this section:
>
> // Use this if you do not want the FW-1 module to insist on a newline
at
> the
> // end of the PORT command:
> // #define FTPPORT(match) (call KFUNC_FTPPORT <(match)>)
>
> #define FTP_ENFORCE_NL
>
>
> Change it to this:
>
> // Use this if you do not want the FW-1 module to insist on a newline
at
> the
> // end of the PORT command:
> #define FTPPORT(match) (call KFUNC_FTPPORT <(match)>)
>
> //#define FTP_ENFORCE_NL
>
> Run cpstart.
>
> Install the policy.
>
> Enjoy.
>
> --
> If at first you don't succeed, skydiving is not for you.
>

Re: Checkpoint FW-1 and "ftp missing newline char" attack

> Keep in mind this fix gets wiped out when you upgrade the firewall.

When I install a new policy, or when I actually upgrade the server?

In any case, the fix seems to work on my external fw. Now I've gotta
schedule the downtime for the internal one to see if it takes care of
it there, too.

Thanks, folks.

Re: Checkpoint FW-1 and "ftp missing newline char" attack

so what is the script that we are suppose to use? I'm not seeing it.


--
kundy00
------------------------------------------------------------ ------------
kundy00's Profile: http://unixadmintalk.com/554
View this thread: http://unixadmintalk.com/showthread.php?t=84325

Re: Checkpoint FW-1 and "ftp missing newline char" attack

kundy00 wrote:

: so what is the script that we are suppose to use? I'm not seeing it.


What version is this? I believe this check was somewhat buggy, atleast
it seemed that you wouldn't get a very reliable ftp service with this
option enabled.

The background for this option can be found in this bugtraq posting:
http://archive.cert.uni-stuttgart.de/archive/bugtraq/2000/02 /msg00199.html

Lars