Re: [Full-Disclosure] A new TCP/IP blind data injection technique?
Date: Sat Dec 13 2003 - 09:40:37 CST
Well then .. I am happy that non of the firewalls I use accept or pass
fragments packets.
Michael.
On Sat, 13 Dec 2003 15:04:10 -0500
Valdis.Kletnieks@vt.edu wrote:
> On Sat, 13 Dec 2003 03:35:25 MST, Michael Gale
> <michael@bluesuperman.com> said:
>
> > For example the BorderWare Firewall will not accept fragmented
> > packets, they are working on a firewall function that when
> > fragmented packets arrive. It will save the first piece plus all
> > frags until the final one is received. But the packet back together
> > and do a sanity check of some sort. Then pass or drop the packet.
>
> So the problem is that the host may re-assemble a fragmented packet
> with injected data in it.
>
> And we protect against it by.... you got it.. having the firewall
> re-assemble the fragmented packet with injected data and then handing
> the re-assembled full packet (with injected data) to the host.
>
> Whoops.
>
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
Received on Sat Dec 13 17:15:55 2003
This archive was generated by hypermail 2.1.8 : Sat Dec 13 2003 - 18:01:02 CST
