[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: HTTP API question

To: "HTTPAPI and FTPAPI Projects" <ftpapi@xxxxxxxxxxxxxxxxxxxxxx>
Subject: RE: HTTP API question
From: "Sawatzki, Peter" <Sawatzki@xxxxxxxx>
Date: Wed, 19 Sep 2007 10:21:48 +0200
In-reply-to: <6577742F9F71C1498F29D69F24C6DDC607E5EEFD@xxxxxxxxxxxxxxxxxxxxx>
List-help: <mailto:ftpapi-request@lists.scottklement.com?subject=help>
List-id: HTTPAPI and FTPAPI Projects <ftpapi.lists.scottklement.com>
List-post: <mailto:ftpapi@lists.scottklement.com>
List-subscribe: <http://www.scottklement.com/mailman/listinfo/ftpapi>, <mailto:ftpapi-request@lists.scottklement.com?subject=subscribe>
List-unsubscribe: <http://www.scottklement.com/mailman/listinfo/ftpapi>, <mailto:ftpapi-request@lists.scottklement.com?subject=unsubscribe>
References: <6577742F9F71C1498F29D69F24C6DDC607E1174D@xxxxxxxxxxxxxxxxxxxxx><46F01423.8020102@xxxxxxxxxxxxxxxx> <6577742F9F71C1498F29D69F24C6DDC607E5EEFD@xxxxxxxxxxxxxxxxxxxxx>
Reply-to: HTTPAPI and FTPAPI Projects <ftpapi@xxxxxxxxxxxxxxxxxxxxxx>
Sender: ftpapi-bounces@xxxxxxxxxxxxxxxxxxxxxx
Thread-index: Acf6JFrdVGqW22LEQ/+UuMyNoAnEzAAHZh6wABOTuhA=
Thread-topic: HTTP API question

Hello,

we are using version 1.15 of httpapi since some time successfully to
query credit card info via https. Since updating our firewall's
SmartDefense definitions however SSL packets originating from the AS/400
are blocked because of malformed packets. Checkpoints SmartDefense
claims that the AS/400 is sending a Malformed packet whose field lengths
does not match. Does anyone know if this can be corrected on the httpapi
side ?

Here is the detailed info from the log and the advisories from
Checkpoint:
 
Product:                       	SmartDefense
Attack Name:               	Invalid SSL Packet
Attack Information:      	SSLv3: Malformed packet (field lengths
do not match)
Interface:                     	eth1
Origin:                         	cpx
SmartDefense Profile:	Default_Protection
Type:                           	Log
Service:                       	https (443)
Source:                        	wwc400 (192.168.101.6)
Destination:                	213.83.23.202
Protocol:                      	tcp
Source Port:                	36199

Check Point Reference:  CPAI-2004-38  
Industry Reference:  CAN-2003-0719
(http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0719) 
Severity:  Critical  
Description:  
A remote attacker could construct a specially crafted SSL negotiation
packet and perform a SSL handshake against a server that uses the SSL
library in such a way that could cause the library to crash. One
vulnerability lies within a malformed Change Cipher Spec message,
another in an excessively large Challenge. 
 
SmartDefense Protection:  
When this protection is enabled, SmartDefense will identify and drop
malformed SSL Client Hello packets. 
 
Attack Detection:  
Using SmartView Tracker, users of VPN-1 NG with Application Intelligence
R55 will be able to identify drop logs with rule number 99443. 

The Checkpoint reference above lists this:

Attack ID: CPAI-2004-38 

Severity: Critical 
 
  A vulnerability exists in Netscape's Network Security Services SSL
library when using SSL version 2 messages. A specially crafted "Client
Hello" packet may cause the server to crash and possibly lead to remote
code execution. 
 
 
Details: A vulnerability exists in the SSL version 2 parsing engine of
Netscape's Network Security Server. A "Client Hello" message request
with an excessive challenge length (greater than 32 Bytes) leads to a
buffer overflow. A malicious user may use this vulnerability and
overwrite the heap with arbitrary data, which may lead to arbitrary
remote code execution on the target machine and gain complete control
over it, as the NSS service runs under Root privileges.

Attack Detection: Using SmartView Tracker, users of VPN-1 NG with
Application Intelligence R55 will be able to identify dropped logs with
rule number 99443 displayed in the log viewer window. 
Users of VPN-1 NG with Application Intelligence R55W and InterSpect will
receive the following logs: 

Attack name: VPN Protection (for all logs)

Attack Information may vary: 
Malformed SSL packet detected
SSLv2: Illegal Server Hello handshake type 
SSLv2: Illegal Client Hello message type 
SSLv2: Malformed packet (field lengths do not match)
SSLv2: Illegal protocol version number
SSLv2: Illegal Client Hello CipherSuites length
SSLv2: Illegal Client Hello Session ID length
SSLv2: Illegal Client Hello Challenge length
SSLv3: Illegal protocol version number
SSLv3: Illegal Server Hello handshake type
SSLv3: Illegal Session ID length
SSLv3: Malformed packet (field lengths do not match)
SSLv3: Illegal Client Hello compression methods length
SSLv3: Illegal Client Hello CipherSuites length 
 

-----------------------------------------------------------------------
This is the FTPAPI mailing list.  To unsubscribe, please go to:
http://www.scottklement.com/mailman/listinfo/ftpapi
-----------------------------------------------------------------------

Follow-Ups:
- Re: HTTP API question
  - From: Scott Klement

References:
- HTTP API question
  - From: Wes Breinich
- Re: HTTP API question
  - From: Scott Klement
- RE: HTTP API question
  - From: Wes Breinich

Prev by Date: RE: HTTP API question
Next by Date: HTTP API Compiling under V4R5M0
Previous by thread: RE: HTTP API question
Next by thread: Re: HTTP API question
Index(es):
- Date
- Thread