[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: [cobalt-security] fpipe - interesting security experiment
- Subject: RE: [cobalt-security] fpipe - interesting security experiment
- From: "Drage, Nicholas" <nickd@xxxxxxxxx>
- Date: Wed, 13 Jun 2001 16:41:26 +0100
- List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>
> This pertains to anyone filtering connections to port 81 on
> their raqs via external firewalls...
>
> I picked up an interesting utility today called fpipe.
http://www.foundstone.com/rdlabs/proddesc/fpipe.html
btw
> This utility allows the user to connect to a server through an open
> port on a firewall... say port 80. Once the connection is extablished,
> the program enables the user to connect to any port on the server,
> regardless of external firewall rules.
Not quite, as far as I can tell from having read the text at the URL above.
> I decided to try a little experiment. I have a raq3 located behind a
> sonicwall soho firewall. The raq is used only as an email
> server, so only ports 25 and 110 are open on the firewall. This is setup
> using port forwarding, as the raq does not have a public IP address.
OK.
> I fired up fpipe and set the starting connection to port 25,
> and the final source connection to port 81. That means I could connect to
> the server through the firewall on port 25, and then fpipe would allow
> me to forward requests to port 81 on the server.
Not according to the text on the webpage. fpipe allows you to specify the
*source* port of connections, and the destination port, if you point packets
at whichever host it's running on and at the port it's listening on ( -s, -r
and -l respectively ).
It doesn't allow you to connect to that port on the *remote* server you're
trying to connect to, and then somehow jump to a different port. ( if it
did, your comment of "scary" is lacking the necessary 100 exclamation marks
)
> The actual client connection from a client program to a server is made
> locally. Fpipe is configured to listen on a local port on the
> client, and then it forwards the client connection to the remote server.
> I setup fpipe to listen on port 100. The command line for this is:
> fpipe -l 100 -s 25 -r 81 <ip address>
>
> I then typed this into my web browser:
> http://localhost:100/.cobalt/sysManage/index.html
>
> And guess what I got? The cobalt user login.... scary.
Yes, but not for the reasons you imagine, as far as I can tell.
One of two things is happening here, I think,
EITHER the IP address you're connecting from is allowed to connect through
the firewall to the admin server anyway, so all fpipe is doing is sending
those packets from a low source port.
OR for some reason, packets with a source port of 25 are traversing the
firewall rules without the destination port being checked. That is a bad
thing.
"EITHER" is an oversight on your part, no big deal, "OR" is scary, well
found :)
> I would suggest that anyone interested in filtering port 81
> on their raqs do so with local ipchains rules, and not just an external
firewall.
This is worth doing anyway, strength in depth and all that.
( Isn't Sonicwall SOHO ipchains with fluffy add-ons? I should know
this...... )
I haven't played with the software myself, but Kevin's description piqued
(sp?) my interest so I've spent a few minutes reading up. So if I'm
obviously wrong proof would be appreciated, otherwise there is *something*
interesting going on here, so more information is welcome, especially
tcpdumps off the Cobalt, or even netstat output.
BTW - I'm presuming fpipe works on Windows only as it's a Foundstone tool,
doesn't "fragrouter" do something similar for unix?
--
Nick Drage - Security Architecture - Demon Internet - Thus PLC
As of Wed 13/06/2001 at 16:00
This computer has been up for 2 days, 4 hours, 38 minutes, 54 seconds.