SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Firewall)  >   FireWall-1/VPN-1 Vendors:   Check Point
Check Point FireWall-1 Older Versions Use Unsafe Temporary Files When Compiling Security Policies, Allowing Local Users to Elevate Their Privileges
SecurityTracker Alert ID:  1002384
SecurityTracker URL:  http://securitytracker.com/id/1002384
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Sep 11 2001
Impact:   Modification of system information, Modification of user information
Fix Available:  Yes  Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): 4.0 SP1 and prior
Description:   A vulnerability was reported in earlier versions of Check Point FireWall-1. When firewall policies are compiled, unsafe and predictable temporary files are used, allowing a local user to obtain elevated privileges on the firewall operating system.

It is reported that when a Firewall Policy is compiled, a temporary file is created in the /tmp directory with the file name [policy name].cpp and with 666 permissions (i.e., rw-rw-rw-). (666). A local user can create a symbolic link from the predictable temporary file to another critical file and then make policy changes to cause the symbolic link file permissions to be set to world-writable. The local user can then make changes to the linked file.

A demonstration exploit scenario is provided in the Source Message.

Impact:   A local user could obtain elevated privileges on the firewall operating system.
Solution:   The vendor fixed the flaw as of version 4.0 SP2. Contact the Vendor regarding upgrades.
Vendor URL:  www.checkpoint.com/techsupport/alerts/ (Links to External Site)
Cause:   Access control error
Underlying OS:  UNIX (Solaris - SunOS)
Underlying OS Comments:  Solaris 2.6-2.7

Message History:   None.


 Source Message Contents

Subject:  Bug in compile portion for older versions of CheckPoint Firewalls


There is a bug in how CheckPoint firewalls prior 
to version 4.0 SP2 handled compiling the firewall 
policy on Solaris workstations. I was actually 
migrating a client from version 4.0 SP1 when I 
stumbled on this. The vendor was contacted on 
January 30, 2001 and responded on February 2, 2001 
that they fixed it in version 4.0 SP2.

I am posting it here in hopes that customers who 
have not upgraded (suprisingly, I have come across 
a few who are "afraid" to make those transitions) 
will see this and do so.

Below in the dashes are portions of the contents 
of the email I sent to CheckPoint describing the 
bug.

--------------------------------------------------

Check Point Firewall-1 ver. 3.0b through 4.0 on 
the Solaris 2.6-2.7 (latest patches) platform

BUG found on 01/26/01 by Alan Darien, 
SecureTrendz, Inc. 


Product:	Check Point Firewall-1 ver. 3.0b 
through 4.0
Platform:	Sun Microsystem Ultra-2
Operating System:	Solaris 2.6 and Solaris 
2.7 with latest patches

I have found a bug that exists in versions of 
Check Point's Firewall. I have verified it in ver. 
3.0b and ver. 4.0.  The bug is local to the 
firewalled workstation.

Description:
When a Firewall Policy is compiled, Firewall 
compilation creates a temporary file in /tmp with 
the policy name and ".cpp" appended to it. The 
access mode of the file is rw-rw-rw- (666). A user 
can elevate their access levels by exploiting this 
knowledge.


Example:

If I have firewall remote administrative access 
with write privileges but again junior system 
administrator privileges on the firewalled 
workstation, I can:
1. Add the login service (rlogin) to the rule 
containing FW management for my workstation
2. Create a link file in /tmp with the 
policyname.cpp to /.rhosts
3. Install the modified policy and then edit 
/.rhosts to include a "+" or my specific desktop
4. Come across from root on my workstation anytime 
without having to modify the password or shadow 
files
5. If the system only allows root login at the 
console, I just add a step or two to the above to 
overwrite /etc/default/login, add the necessary 
entries and move on

Scenarios:
There are a couple of scenarios, that come to 
mind, in which the above can take place.
1. Rookie firewall administrators are given GUI 
access to the firewall to do firewall 
administration. They have been trained to add 
rules, create objects and install policies BUT are 
not trusted to have superuser access to the 
system. They don't know directory structure 
layout, system configuration, etc. but have been 
given administrative group access to do backups 
and the such.
2. Two (or more groups) administer the system at 
different levels. One group handles all system 
matters: configurations, backups, trouble-shoots 
and the other handles solely firewall issues: rule 
additions/deletions, object creations, policy 
generation.

Fixes:

1. Upgrade to latest Check Point Firewall ver. 4.1 
 and latest service pack. Check Point Firewall 
ver. 4.0 SP2 and higher places the work for the 
policy compiles under the firewall directory 
structure which is accessible only by the 
superuser (if installed properly). 

--------------------------------------------------
 

 -  Alan

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC