Title: Multiple Firewall Vendor FTP "ALG" Client Vulnerability
Severity: MODERATE
Description:
A vulnerability exists in the handling of certain rules on many firewalls, that may allow users outside of the firewall to gain limited access to areas behind firewalls. Whereas previous descriptions of attacks of this style were server based, it is also possible to use client based programs to exploit these problems.
By sending, for instance, an email which contains a tag such as the following: <img src="ftp://ftp.rooted.com/aaaa[lots of A]aaaPORT 1,2,3,4,0,139">
By balancing the number of A's so the PORT command begins on a new boundry, the firewall will incorrectly parse the resulting RETR /aaaaaaaa[....]aaaaaPORT 1,2,3,4,0,139 as first a RETR and then PORT command, and open port 139 to the origin address. This would allow the server site to connect to port 139 on the client. Any port could be used in place of 139, unless the firewall blocks "known server ports."
Versions of Firewall-1 4.1 and prior are believed vulnerable. Versions of Cisco PIX, up to and including current 5.0(1) are believed vulnerable.
Affected Products:
- Check Point Software Firewall-1 3.0.0
- Check Point Software Firewall-1 4.0.0
- Cisco PIX Firewall 4.1.6
- Cisco PIX Firewall 4.1.6b
- Cisco PIX Firewall 4.2.1
- Cisco PIX Firewall 4.2.2
- Cisco PIX Firewall 4.3.0
- Cisco PIX Firewall 4.4.0(4)
- Cisco PIX Firewall 5.0.0
- Cisco PIX Firewall 5.1.0
- Cisco PIX Firewall 515
- Cisco PIX Firewall 520
Juniper Networks provides this content via a wide variety of sources and production methods. If notified of errors or omissions in the content of this page, Juniper Networks, at its discretion, will modify or remove the page or leave the content as is, depending on various factors including but not limited to the reputation and authority of the party providing the notification. Please use the contact information displayed elsewhere on this page to report any errors or omissions regarding the content on this page.
