SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Firewall)  >   FireWall-1/VPN-1 Vendors:   Check Point
Check Point FireWall-1 Discloses Identifying System Information to Remote Users
SecurityTracker Alert ID:  1003950
SecurityTracker URL:  http://securitytracker.com/id/1003950
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Apr 2 2002
Impact:   Disclosure of system information
Exploit Included:  Yes  

Description:   An information disclosure vulnerability was reported in Check Point's FireWall-1 firewall product. A remote user can connect to the system to determine if it is a FireWall-1 or not.

It is reported that a remote user can connect to port 257 on the firewall and supply certain strings to cause the server to disclose its identity.

A remote user can reportedly use the following sequence:

1. hit enter
2. hit a few keys (2-3 is enough)
3. hit enter

This will reportedly cause the server to return the 'fwa1' string.

Impact:   A remote user can determine if the target is a FireWall-1.
Solution:   No solution was available at the time of this entry.
Vendor URL:  www.checkpoint.com/ (Links to External Site)
Cause:   Access control error
Underlying OS:  Linux (Any), UNIX (AIX), UNIX (HP/UX), UNIX (Solaris - SunOS), Windows (NT), Windows (2000)

Message History:   None.


 Source Message Contents

Subject:  Firewall-1 Identification : port 257 (ie archive : 18701)


It's been known for a while that if you find a host with open TCP port
256,257 and 258, you can be pretty sure it's a Firewall-1 box ( please refer
to : http://online.securityfocus.com/archive/1/18701 ).

I did some additional poking at the system and found out that if you connect
to port 257 and you hit a few keys, the server will return fwa1 string.
Here is the sequences that works for me:
1. hit enter
2. hit a few keys (2-3 is enough)
3. hit enter

the server will return the fwa1 string.

Example (my input was enter+test+enter):
[sacha@hole sacha]$ nc 1.1.1.1 257
        30000005
test
fwa1

[sacha@hole sacha]$

If you hit other sequences, you data but no fwa1 string. I didn't seen this
feature mentioned. If this is already known, please ignore this post. This
was discovered on a client system so I don't have all the details of the
firewall config for now. All I know is it's a FW1 box. On what I have no
idea.

---------
Sacha Faust
sacha@severus.org

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC