SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Firewall)  >   FireWall-1/VPN-1 Vendors:   Check Point
Check Point FireWall-1 Remote Management GUI Lets Remote Administrators Create or Overwrite Files on the Firewall with Root Level Privileges
SecurityTracker Alert ID:  1002377
SecurityTracker URL:  http://securitytracker.com/id/1002377
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Sep 8 2001
Impact:   Denial of service via local system, Denial of service via network
Exploit Included:  Yes  
Version(s): 3.0b through 4.1 SP3
Description:   A vulnerability was reported in Check Point FireWall-1's remote administrative application. A valid firewall administrator can create or overwrite files on the firewall.

It is reported that a remote administrative user with no login access to the firewall can use the remote administrative GUI to create or overwrite files on the firewall with the *.log extension.

It is also reported that an administrative user with non-root login access to the firewall can use the administrative GUI to create or overwrite files with any file name by creating a symlink from a *.log file to the desired target file.

Apparently, the content written will be log files in 'data' format, so arbitrary contents cannot be written. As a result, this vulnerability can be triggered to cause denial of service but apparently not to execute arbitrary code or gain root level access.

Demonstration exploit methods are described in the Source Message.

The vendor has reportedly been notified (in January 2001).

Impact:   A firewall administrator without login direct access to the firewall can create or overwrite certain files on the system. A firewall administrator with login access to the firewall can create or overwrite any file on the system. Denial of service conditions can be caused by overwriting critical files.
Solution:   No solution was available at the time of this entry.
Vendor URL:  www.checkpoint.com/techsupport/alerts/ (Links to External Site)
Cause:   Access control error, Input validation error
Underlying OS:  Linux (Any), UNIX (AIX), UNIX (HP/UX), UNIX (Solaris - SunOS), Windows (NT), Windows (2000)
Underlying OS Comments:  tested on Solaris 2.6-2.7

Message History:   None.


 Source Message Contents

Subject:  Bug in remote GUI access in CheckPoint Firewall


There is a bug in how the desktop GUI for managing 
 a CheckPoint firewall handles log viewer saves. 
Regardless of the type of user defined for GUI 
access, the user can save the file to any 
directory they wish as well as a few other things. 
This has been verified from ver. 3.0b through ver. 
4.1 SP2. The vendor was contacted on 
January 30, 2001 and responded on February 1, 2001 
that they were looking into it. They have not 
responded to any emails since then in an attempt 
to get status information with regards to this 
bug. I have since then verified that ver. 4.1 SP3 
also contains the bug.

Below in dashes is contents of the email sent to 
the vendor:

--------------------------------------------------

Check Point Firewall-1 ver. 3.0b through 4.1 SP2 
on the Solaris 2.6-2.7 (latest patches) platform

BUG found on 01/26/01 by Alan Darien, 
SecureTrendz, Inc. 

Product:	Check Point Firewall-1 ver. 3.0b 
through 4.1 SP2
Platform:	Sun Microsystem Ultra-2
Operating System:	Solaris 2.6 and Solaris 
2.7 with latest patches

I have found a bug that exists in all versions of 
Check Point Firewall. I have verified it in ver. 
3.0b, ver. 4.0 and ver. 4.1 with SP2.  The bug is 
local to the firewalled workstation.

Description:
As a remote administrative user with write 
privileges of the Firewall using the remote 
GUI-client Log Viewer application, I can cause 
potential DoS actions.

I can create and overwrite any file anywhere on 
the system except the active log file (fw.log). 
Under Firewall ver. 3.0b and ver. 4.0, I can also 
do this with Monitor, Read-Only and User-Edit 
privileges. I must log onto the GUI with a given 
user id but the process is actually run as the 
root user on the firewalled system.

Examples:

1. As a firewall administrator with no login 
access to the firewall management station (which 
can be the same as the firewall server), I can use 
the GUI-client to create or overwrite a file by 
launching the Log Viewer and saving my selection 
under File->Save As. I am not prevented from 
inputting a saved location such as: /etc/shadow. 
Nor am I prompted that the file may already exist 
and do I want to overwrite it IF I save to a 
directory other than /etc/fw/log. In the above 
case, a file will be created on the firewall 
management station as /etc/shadow.log. NOTE: The 
".log" extension is automatically appended to the 
saved file. Because of this, I can corrupt certain 
other log files that may have been defined by the 
system administrative team that ends in ".log". 
This assumes that I know of those files. 

a) Launch the firewall GUI-client and open the Log 
viewer.
b) Save the selection (can narrow the selection if 
you wish) as /var/adm/vold
c) Now see that I have created (or overwritten) a 
/var/adm/vold.log file, with a file of type "data"
d) By doing the above with a large log file, a 
smaller filesystem can be filled up as well
e) Or I can overwrite exported log files as well


As I will show in the next example, it can get 
worse.

2. As a firewall administrator with non-root login 
access to the firewall management station (which 
can be the same as the firewall server), I can use 
the GUI-client to create or overwrite a file by 
launching the Log Viewer and saving my selection 
under File->Save As. Again, I am not prompted that 
the file exists if I save to another directory 
than /etc/fw/log. Now, it gets a worse. As a user 
with non-root login access I can go to /tmp and 
create a link file such as:
a) ln -s /.rhosts /tmp/trythis.log
b) Launch the firewall GUI-client and open the Log 
viewer.
c) Save the selection (can narrow the selection if 
you wish) as /tmp/trythis
d) Now see that I have created a /.rhosts file, 
allbeit a file of type "data"
e) Now create another link: ln -s /etc/shadow 
/tmp/trythis.log
f) Repeat steps b-c
g) Now see that I have overwritten the /etc/shadow 
file with data, can we say DoS to system 
administrators

The system administrators are forced to boot to 
CD-Rom and fix the password files. 

Fixes:
1. Prevent the use of "/" absolute directory input 
in the File-> Save As option. This forces all 
saves to the default location only. This is 
actually what you do for saves from the Policy 
Editor, so you already have the code for checking 
for this in-house. 
2. Prevent the ability to overwrite any existing 
files. At the least there should always be a 
prompt if the file already exists and this will 
prevent files from being overwritten as well as 
any link files that may already exist.
3. Upgrade to ver. 4.1 SP2 and only give Firewall 
GUI access to administrators who also have 
superuser access to the firewalled operating 
system. 

--------------------------------------------------

As I mentioned above, ver. 4.1 SP3 also contains 
the bug. So upgrading won't fix it BUT is still 
good to do to stay current.

  -  Alan Darien

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC