III. Exploitation on Firewall
by JUCC ISTF
/* The following article is extracted from the "Information Security Newsletter" published by the JUCC IS Task Force. */
Like universities' other information systems, desktops or networks, firewalls are computing devices/applications and also have vulnerabilities exposed to certain type of exploitations. Some major firewall exploitations are described here:
1. Information Gathering
Port Scanning is one of the most popular techniques attackers use to discover services they can break into. All terminals connected to a Local Area Network (LAN) or the Internet run many services that listen at well-known and not so well-known ports. A port scan helps the attacker find which ports are accessible through the firewall. Common port scanning techniques include:
2. Denial of Service ("DoS") Attack
DoS attacks are based on packet flooding, which uses up bandwidth, CPU, and memory resources on not just the victim device, but also intervening devices, such as routers, switches, and firewalls. One of the most common DoS attacks is the Smurf attack. In a Smurf attack, the attacker sends a flood of ICMP messages to a reflector or sets of reflectors, with the source IP address in the ICMP echo messages spoofed. The hacker changes these addresses to the address of the target firewall devices and causes flood attack on them, which overwhelm the firewalls so that they cannot function properly.
3. Buffer Overflow Attack
Buffer overflow is an abnormal behaviour where a program, while writing data to a buffer, overruns the buffer's boundary and overwrites adjacent memory. Successful exploitations using buffer overflow are resulted from vulnerabilities inside application programs. Certain types of firewalls are known to have such vulnerabilities that may be exploited by hackers. For example, the java services running on port 3858 on a SunOS machine used by SunScreen Firewall as remote administration protocol were found to contain numerous buffer overflows. If hackers managed to exploit these vulnerabilities, it is possible to execute arbitrary code on that machine.
References:
http://www.auditmypc.com/port-scanning.asp
http://nmap.org/book/man-bypass-firewalls-ids.html
http://www.informit.com/articles/article.aspx?p=345618#
http://www.exploit-db.com/exploits/16041/