[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: HTTP API question

To: HTTPAPI and FTPAPI Projects <ftpapi@xxxxxxxxxxxxxxxxxxxxxx>
Subject: Re: HTTP API question
From: Scott Klement <sk@xxxxxxxxxxxxxxxx>
Date: Wed, 19 Sep 2007 11:49:00 -0500
In-reply-to: <E5B0D8F6B440C54FB9EEE77D63D025FC26279D@xxxxxxxxxxxxxxxxxx>
List-help: <mailto:ftpapi-request@lists.scottklement.com?subject=help>
List-id: HTTPAPI and FTPAPI Projects <ftpapi.lists.scottklement.com>
List-post: <mailto:ftpapi@lists.scottklement.com>
List-subscribe: <http://www.scottklement.com/mailman/listinfo/ftpapi>, <mailto:ftpapi-request@lists.scottklement.com?subject=subscribe>
List-unsubscribe: <http://www.scottklement.com/mailman/listinfo/ftpapi>, <mailto:ftpapi-request@lists.scottklement.com?subject=unsubscribe>
References: <6577742F9F71C1498F29D69F24C6DDC607E1174D@xxxxxxxxxxxxxxxxxxxxx><46F01423.8020102@xxxxxxxxxxxxxxxx> <6577742F9F71C1498F29D69F24C6DDC607E5EEFD@xxxxxxxxxxxxxxxxxxxxx> <E5B0D8F6B440C54FB9EEE77D63D025FC26279D@xxxxxxxxxxxxxxxxxx>
Reply-to: HTTPAPI and FTPAPI Projects <ftpapi@xxxxxxxxxxxxxxxxxxxxxx>
Sender: ftpapi-bounces@xxxxxxxxxxxxxxxxxxxxxx
User-agent: Thunderbird 2.0.0.6 (X11/20070812)

HTTPAPI does not generate the SSL encryption or the format of the 
packets.  The operating system does that.  HTTPAPI just tells the 
operating system what needs to be done.

I find the error text to be confusing.  It's discussing things like 
"gaining Root privelges" (which can only happen on a Unix-like machine) 
and SSLv2 flaws, even though it tells you that you're using SSLv3.

It's hard to sort out which parts of the error actually apply to what's 
happening here...   but I suspect that there's nothing that HTTPAPI can 
do about it.  You'll probably need to fix i5/OS, which may mean 
installing the latest PTFs or upgrading to the latest version.  What 
version of i5/OS are you running?


Sawatzki, Peter wrote:
> Hello,
> 
> we are using version 1.15 of httpapi since some time successfully to
> query credit card info via https. Since updating our firewall's
> SmartDefense definitions however SSL packets originating from the AS/400
> are blocked because of malformed packets. Checkpoints SmartDefense
> claims that the AS/400 is sending a Malformed packet whose field lengths
> does not match. Does anyone know if this can be corrected on the httpapi
> side ?
> 
> Here is the detailed info from the log and the advisories from
> Checkpoint:
>  
> Product:                       	SmartDefense
> Attack Name:               	Invalid SSL Packet
> Attack Information:      	SSLv3: Malformed packet (field lengths
> do not match)
> Interface:                     	eth1
> Origin:                         	cpx
> SmartDefense Profile:	Default_Protection
> Type:                           	Log
> Service:                       	https (443)
> Source:                        	wwc400 (192.168.101.6)
> Destination:                	213.83.23.202
> Protocol:                      	tcp
> Source Port:                	36199
> 
> Check Point Reference:  CPAI-2004-38  
> Industry Reference:  CAN-2003-0719
> (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0719) 
> Severity:  Critical  
> Description:  
> A remote attacker could construct a specially crafted SSL negotiation
> packet and perform a SSL handshake against a server that uses the SSL
> library in such a way that could cause the library to crash. One
> vulnerability lies within a malformed Change Cipher Spec message,
> another in an excessively large Challenge. 
>  
> SmartDefense Protection:  
> When this protection is enabled, SmartDefense will identify and drop
> malformed SSL Client Hello packets. 
>  
> Attack Detection:  
> Using SmartView Tracker, users of VPN-1 NG with Application Intelligence
> R55 will be able to identify drop logs with rule number 99443. 
> 
> The Checkpoint reference above lists this:
> 
> Attack ID: CPAI-2004-38 
> 
> Severity: Critical 
>  
>   A vulnerability exists in Netscape's Network Security Services SSL
> library when using SSL version 2 messages. A specially crafted "Client
> Hello" packet may cause the server to crash and possibly lead to remote
> code execution. 
>  
>  
> Details: A vulnerability exists in the SSL version 2 parsing engine of
> Netscape's Network Security Server. A "Client Hello" message request
> with an excessive challenge length (greater than 32 Bytes) leads to a
> buffer overflow. A malicious user may use this vulnerability and
> overwrite the heap with arbitrary data, which may lead to arbitrary
> remote code execution on the target machine and gain complete control
> over it, as the NSS service runs under Root privileges.
> 
> Attack Detection: Using SmartView Tracker, users of VPN-1 NG with
> Application Intelligence R55 will be able to identify dropped logs with
> rule number 99443 displayed in the log viewer window. 
> Users of VPN-1 NG with Application Intelligence R55W and InterSpect will
> receive the following logs: 
> 
> Attack name: VPN Protection (for all logs)
> 
> Attack Information may vary: 
> Malformed SSL packet detected
> SSLv2: Illegal Server Hello handshake type 
> SSLv2: Illegal Client Hello message type 
> SSLv2: Malformed packet (field lengths do not match)
> SSLv2: Illegal protocol version number
> SSLv2: Illegal Client Hello CipherSuites length
> SSLv2: Illegal Client Hello Session ID length
> SSLv2: Illegal Client Hello Challenge length
> SSLv3: Illegal protocol version number
> SSLv3: Illegal Server Hello handshake type
> SSLv3: Illegal Session ID length
> SSLv3: Malformed packet (field lengths do not match)
> SSLv3: Illegal Client Hello compression methods length
> SSLv3: Illegal Client Hello CipherSuites length 
-----------------------------------------------------------------------
This is the FTPAPI mailing list.  To unsubscribe, please go to:
http://www.scottklement.com/mailman/listinfo/ftpapi
-----------------------------------------------------------------------

References:
- HTTP API question
  - From: Wes Breinich
- Re: HTTP API question
  - From: Scott Klement
- RE: HTTP API question
  - From: Wes Breinich
- RE: HTTP API question
  - From: Sawatzki, Peter

Prev by Date: Re: HTTP API question
Next by Date: RE: HTTP API question
Previous by thread: RE: HTTP API question
Next by thread: Re: HTTP API question
Index(es):
- Date
- Thread