RE: pushing exploits through the Firewall

From: Evans, Arian (Arian.Evans@fishnetsecurity.com)
Date: Tue Feb 14 2006 - 13:12:23 EST


Mike,

So what I think you may be getting at is one of two things:

1. Most BIND exploits are TCP-based, and most sharp firewalls
admins allow only UDP. In this case, no dice.

Three or four years ago there was a UDP based exploit for
BIND, some vuln in recursion I think...anyway go Google. :)

2. Some of the BIND exploits were attacked via overflow in
the protocol headers, so if you are facing a firewall that
does some protocol validation, and DNS is a common/easy one
to do, then you exploit may be blocked over TCP by a protocol
validator that sees a non-RFC compliant/sized header.

3. There's lots of third options that may or may not be
viable. Look for a proxy with CONNECT method enabled to
the outside world, and shove a TCP connection to the BIND
server through their proxy, or Citrix box, or anything
else you can find open.

-ae

> -----Original Message-----
> From: Julian Totzek [mailto:julian.totzek@bristol.de]
> Sent: Monday, February 13, 2006 2:32 PM
> To: Mike Gilligan; pen-test@securityfocus.com
> Subject: AW: pushing exploits through the Firewall
>
>
> > Hi group
> > Say a pentester manages to discover a vulnerable version of BIND
> running
> > on
> > an external DNS server and has successfully sourced an
> exploit for the
> > vuln.
> > I'm curious how it would be possible to launch the exploit
> against the
> > server when a packet filtering device and stateful
> inspection Firewall
> sit
> > between the pentester and the vuln host. It would seem at
> first glance
> > that
> > this is not a viable option. How else might one go about exploiting
> the
> > vuln?
> >
> Hi Mike,
>
> remember, a firewall is mostly controlling the entrance but not the
> application itself. So if there is a exploit running on port
> UDP 53 the
> firewall will let it pass, cause it only knows port 53 UDP is
> legitimate
> traffic.
>
> Sometimes there are some kind of filter enabled in firewalls
> which will
> block these exploits, but normally there is nothing ;-)
>
> So just go for it and try it :-)
>
> --------------------------------------------------------------
> ----------------
> Audit your website security with Acunetix Web Vulnerability Scanner:
>
> Hackers are concentrating their efforts on attacking
> applications on your
> website. Up to 75% of cyber attacks are launched on shopping
> carts, forms,
> login pages, dynamic content etc. Firewalls, SSL and
> locked-down servers are
> futile against web application hacking. Check your website
> for vulnerabilities
> to SQL injection, Cross site scripting and other web attacks
> before hackers do!
> Download Trial at:
>
> http://www.securityfocus.com/sponsor/pen-test_050831
> --------------------------------------------------------------
> -----------------
>
>

------------------------------------------------------------------------------
Audit your website security with Acunetix Web Vulnerability Scanner:

Hackers are concentrating their efforts on attacking applications on your
website. Up to 75% of cyber attacks are launched on shopping carts, forms,
login pages, dynamic content etc. Firewalls, SSL and locked-down servers are
futile against web application hacking. Check your website for vulnerabilities
to SQL injection, Cross site scripting and other web attacks before hackers do!
Download Trial at:

http://www.securityfocus.com/sponsor/pen-test_050831
-------------------------------------------------------------------------------



This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:55:31 EDT