-------------------------------------------------------
AlphaShield
doesn`t track connections.
To decide if an
incoming packet belongs to a valid connection started from the client,
the AlphaShield does this:
-for TCP/UDP connections:
it keeps track on source/destination ports and IP´s. On TCP doesn´t
matter about sequence numbers.
-for ICMP: once an echo_request passes through the AlphaShield from
the protected machine to an outside target, all subsequent echo_reply
from the outside target to the protected machine are allowed, it doesn´t
matter if the protected machine only sends 1 echo_request.
-for ARP: all "ARP replys" and "ARP Requests" are
allowed to pass trough the AlphaShield
This filtering way
is not effective, moreover if we consider that the AlphaShield stores
the source/destination IP´s and ports of any new socket, and it
will allow any future incoming/outgoing packet matching those IP´s
and ports. This "packet injection" could be done because of
the stateless tracking method implemented (AlphaShield doesn´t
look the SYN/ACK/FYN/RST...), so it never knows if a connection is still
active or has been closed by any of the two end points.
The tests were done
on a ethernet environment as showed below:
Attacker----Swicth-----AlphaShield-----Protected_PC
(target)
172.26.0.x---------------------------------172.26.0.y
The target machine was running a sniffer in order to see all the packets
received. On the attacker machine we used the well known software "hping2"
as packet generator.
-TCP test:
a) target machine connects with telnet to a telnet server on the Internet,
then it closes the connection. b) attacker
machine sends this packets: source_IP=telnet_server, destination_IP=target,
source_port=23,destination_port=port_from_wich_target_originated_the_connection.
Result: AlphaShield allows all the incoming packets although they aren`t
responses to any request and we can see them with the sniffer on the
target machine. No matter if the sent packet by the attacker
had the SYN/ACK... flag activated, it was allowed.
-UDP test:
a) target machine does a DNS query (UDP) to a nameserver on the Internet.
b) attacker machine sends this packets: source_IP=DNS_server, destination_IP=target,
source_port=53,
destination_port=port_from_wich_target_originated_the_connection. Result:
AlphaShield allows all the incoming packets although they aren`t responses
to any request and we can see them with the sniffer on the target machine.
-ICMP test:
a) target machine does a simple (echo_request/echo_reply) to a server
on the Internet. b) attacker machine sends ICMP´s (echo_reply)
with source_address=server, destination_address=target. Result: AlphaShield
allows all the subsequent incoming echo_reply although
they aren`t responses to any request and we can see them with the sniffer
on the target machine.
-ARP test
(with "arpoison"): a) attacker machine sends "ARP
replys" to the target machine. It doesn´t matter the source
IP, MAC... Result: AlphaShield allows the incoming packets
although they aren`t responses to any request and we can see them with
the sniffer on the target machine. All incoming broadcast
"ARP request" are also allowed. An ARP spoofing
attack could be done easily. All the target traffic could be redirected
to the attacker machine. (This is not an AlphaShield flaw, but it shows
the danger of allowing incoming ARP packets without any kind of checking.
We have to notice
that most of the attacks described above are only possible in those
scenarios were the target has a routable IP address from the attacker
machine. But in the worst case (target machine with private address
and attacker from the Internet with public address), the responsable
of stopping such attacks would be the forwarding/natting device in front
of the AlphaShield and not the AlphaShield itself, so it does not apply
to the goal of this paper: the analisys of the AlphaShield.
With this paper we would like to show real vulnerabilities on the Saafnet
AlphaShield device that can be exploited remotely.
Soon we will have
real examples on how to exploit this remotely here
Hugo Vázquez
Caramés & Toni Cortés Martínez
www.infohacking.com
Barcelona
Spain
-------------------------------------------------------
INFOHACKING_RESEARCH_DIRECTORY
GO_TO_INDEX!
