SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Firewall)  >   FireWall-1/VPN-1 Vendors:   Check Point
Check Point FireWall-1 and VPN-1 Both Pass Unauthorized RDP Packets
SecurityTracker Alert ID:  1001947
SecurityTracker URL:  http://securitytracker.com/id/1001947
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Updated:  Jul 13 2001
Original Entry Date:  Jul 9 2001
Impact:   Host/resource access via network
Vendor Confirmed:  Yes  
Version(s): Check Point VPN-1(TM) & FireWall-1(R) Version 4.1; Build 41439 [VPN + DES], Build 41439 [VPN + DES + STRONG], Build 41716 [VPN + DES + STRONG] (SP2) were tested.
Description:   Inside Security reported a vulnerability in Check Point's FireWall-1 and VPN-1 products. The security hole allows any remote user to send RDP packets through the firewall in either direction.

If the product is configured to use the default 'implied rules' (used for firewall management communications), a remote user can create a fake Reliable Data Protocol (RDP) packet and send it through the firewall, in either direction, to any host.

FireWall-1 uses RDP on top of the User Datagram Protocol (UDP) to establish encrypted management sessions. It is reported that only the destination port (259) and the RDP command are verified by FireWall-1. As a result, a remote user can add a fake RDP header to normal UDP traffic to pass any data to port 259 on any remote host on either side of the firewall.

This vulnerability could allow unauthorized tunnels to be set up through the firewall.

The vulnerability is reportedly due to INSPECT code in the macro 'accept_fw1_rdp' that specifies that any UDP packet destined for port 259 and containing the RDPCRYPT command type (e.g., RDPCRYPTCMD,RDPUSERCMD,RDPSTATUSCMD) or the RDPCRYPT_RESTART command type (RDPCRYPT_RESTARTCMD) is permitted to pass though the firewall.

Impact:   A remote user can send data through the firewall without authorization. A tunnel could be set up to pass information through the firewall in either direction.
Solution:   The vendor is scheduling a fix to be released today (July 9, 2001). Some temporary workarounds are provided in the Source Message.
Vendor URL:  www.checkpoint.com/ (Links to External Site)
Cause:   Input validation error, State error
Underlying OS:  Linux (Any), UNIX (AIX), UNIX (HP/UX), UNIX (Solaris - SunOS), Windows (NT), Windows (2000)

Message History:   This archive entry has one or more follow-up message(s) listed below.
(Check Point Issues Fix) Re: Check Point FireWall-1 and VPN-1 Both Pass Unauthorized RDP Packets
The vendor has issued a hotfix.
(CIAC Issues Advisory L-109) Re: Check Point FireWall-1 and VPN-1 Both Pass Unauthorized RDP Packets
CIAC issued a security bulletin.
(Proof of Concept Code Released) Re: Check Point FireWall-1 and VPN-1 Both Pass Unauthorized RDP Packets
Proof of concept exploit demonstration code is included.



 Source Message Contents

Subject:  Check Point FireWall-1 RDP Bypass Vulnerability



FOR PUBLIC RELEASE

------------------------------------------------------------------------
Inside Security GmbH Vulnerability Notification
Revision 1.2  2001-07-09
------------------------------------------------------------------------

The latest version of this document is available at
http://www.inside-security.de/advisories/fw1_rdp.html


-----------------------------------------------
Check Point FireWall-1 RDP Bypass Vulnerability
-----------------------------------------------

Summary:
  It is possible to bypass FireWall-1 with faked RDP packets
  if the default implied rules are being used.

  RDP (Reliable Data Protocol, specified in RFC 908) is used by
  FireWall-1 on top of the User Datagram Protocol (UDP) to establish
  encrypted sessions.

  FireWall-1 management rules allow arbitrary eitherbound RDP connections
  to traverse the firewall. Only the destination port (259) and the RDP
  command are verified by FireWall-1. By adding a faked RDP header to normal
  UDP traffic any content can be passed to port 259 on any remote host on
  either side of the firewall.

  Implied rules can't be easily modified or removed (except all together)
  with the FireWall-1 policy editor.


Impact:
  Given access to hosts on both sides of a firewall a tunnel to bypass
  the firewall could be built using this vulnerability. Such access
  could be gained with a trojan horse that uses this vulnerability to
  connect from the inside back to the machine of the attacker. But also
  arbitrary connections from the outside to machines behind the firewall
  (even if they are supposedly totally blocked from the in- and outside
  by the firewall) can be established, for example to communicate with
  infiltrated programs like viruses.


Affected systems:
  Check Point VPN-1(TM) & FireWall-1(R) Version 4.1


Releases tested:
  Build 41439 [VPN + DES]
  Build 41439 [VPN + DES + STRONG]
  Build 41716 [VPN + DES + STRONG] (SP2)


Vendor status:
  The vulnerability has been reported to Check Point and a fix is
  scheduled for today. We want to thank Check Point Software Technologies
  for their quick reaction.


Detailed description:
  As FireWall-1 rulesets are created they are translated into the INSPECT
  language (similar to C) and by default include the file $FWDIR/lib/base.def
  which itself includes $FWDIR/lib/crypt.def in line 259. Together they define
  protocol names and the so called implied rules (for FireWall-1 management).
  In line 62 the macro accept_fw1_rdp is defined to accept any eitherbound
  connection that matches the following characteristics:
    - Protocol UDP
    - Destination port 259 (RDP)
    - RDP Command RDPCRYPTCMD (100), RDPCRYPT_RESTARTCMD (101),
      RDPUSERCMD (150) or RDPSTATUSCMD (128).
  The RDP command types RDPCRYPT = {RDPCRYPTCMD,RDPUSERCMD,RDPSTATUSCMD}
  and RDPCRYPT_RESTART = {RDPCRYPT_RESTARTCMD} will permit traversal of
  faked RDP packets (regardless of the value of NO_ENCRYPTION_FEATURES,
  undefined by default).


Proof of concept code:
  Proof of concept code has been submitted to Check Point. We are planning
  to make this code publicly available within a few days.


Suggested workarounds:
  - Comment line 2646 of crypt.def ( accept_fw1_rdp; )
  - Deactivate implied rules in the Check Point policy editor (and build
    your own rules for management connections).
  - Block UDP traffic to port 259 on your perimeter router.


Credits:
  This vulnerability was found and documented by Jochen Thomas Bauer
  <jtb@inside-security.de> and Boris Wesslowski <bw@inside-security.de>
  of Inside Security GmbH, Stuttgart, Germany.


------------------------------------------------------------------------
(C) 2001 Inside Security GmbH
This notice may be redistributed freely provided that redistributed copies
are complete and unmodified, and include all date and version information.

ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND WARRANTIES,
INCLUDING ANY WARRANTY OF NON-INFRINGEMENT OR IMPLIED WARRANTY OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE, ARE HEREBY DISCLAIMED
AND EXCLUDED TO THE EXTENT ALLOWED BY APPLICABLE LAW.

IN NO EVENT WILL INSIDE SECURITY GMBH BE LIABLE FOR ANY LOST REVENUE,
PROFIT OR DATA, OR FOR DIRECT, SPECIAL, INDIRECT, CONSEQUENTIAL, INCIDENTAL
OR PUNITIVE DAMAGES HOWEVER CAUSED AND REGARDLESS OF ANY THEORY OF
LIABILITY ARISING OUT OF THE USE OF OR INABILITY TO USE THE INFORMATION
CONTAINED IN THIS SECURITY BULLETIN, EVEN IF INSIDE SECURITY GMBH HAS
BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

If any of the above provisions are held to be in violation of applicable
law, void, or unenforceable in any jurisdiction, then such provisions are
waived to the extent necessary for this disclaimer to be otherwise
enforceable in such jurisdiction.
------------------------------------------------------------------------

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC