Re: [Full-Disclosure] Check Point FW-1 NG FP3 & FP3 HF1: DoS attack against syslog daemon possible
From: Dr. Peter Bieringer (pbieringer@aerasec.de)
Date: 03/26/03
- Previous message: NetBSD Security Officer: "[Full-Disclosure] NetBSD Security Advisory 2003-004: Format string vulnerability in zlib gzprintf()"
- In reply to: Dr. Peter Bieringer: "[Full-Disclosure] Check Point FW-1 NG FP3 & FP3 HF1: DoS attack against syslog daemon possible"
- Next in thread: Dr. Peter Bieringer: "[Full-Disclosure] Re: Check Point FW-1: attack against syslog daemon possible"
- Reply: Dr. Peter Bieringer: "[Full-Disclosure] Re: Check Point FW-1: attack against syslog daemon possible"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Dr. Peter Bieringer" <pbieringer@aerasec.de> To: Maillist Bugtraq <bugtraq@securityfocus.com>, Maillist full-disclosure <full-disclosure@lists.netsys.com> Date: Wed, 26 Mar 2003 19:55:21 +0100
Hi again,
regarding to some statements and personal e-mails to me of
a) which versions are affected
and
)b we have no FP3, but a running "syslog" process
I've doublechecked this here in our lab and can confirm Check Point's
advisory "Prior to the release of NG FP3 HF2" for some more cases:
Check Point FW-1 since NG FP3:
------------------------------
The syslog daemon is a dedicated binary "$FWDIR/bin/syslog"
Vulnerable for remote crash (FP3, FP3 HF1)
Vulnerable unfiltered escape sequences (FP3, FP3 HF1, FP3 HF2)
Check Point FW-1 NG up to FP2:
------------------------------
The syslog daemon is included in the "$FWDIR/bin/fw" binary by using
"$FWDIR/lib/libfw1.so"
Vulnerable for remote crash (FP2)
Vulnerable unfiltered escape sequences (FP2)
Other NG versions below FP2 currently not tested by us, but regarding to
Check Point's advisory they are also vulnerable.
Note: in the process table you will see also "syslog 514 all", a "ghost"
program which didn't exist before FP3, but that's only the command line
arguments. A dig into /proc/$pid-of/syslog shows, that "fw" is the real
executed binary.
Check Point FW-1 4.1:
---------------------
The syslog daemon is included in the "$FWDIR/bin/fw" binary without using
any other Check Point specific library.
We currently investigate also here the 2 issues.
Hope this helps.
We've also already updated our advisory:
http://www.aerasec.de/security/advisories/txt/
checkpoint-fw1-ng-fp3-syslog-crash.txt
http://www.aerasec.de/security/advisories/
checkpoint-fw1-ng-fp3-syslog-crash.html
Sorry for causing some confusions.
Peter
-- Dr. Peter Bieringer Phone: +49-8102-895190 AERAsec Network Services and Security GmbH Fax: +49-8102-895199 Wagenberger Straße 1 Mobile: +49-174-9015046 D-85662 Hohenbrunn E-Mail: pbieringer@aerasec.de Germany Internet: http://www.aerasec.de _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
- Previous message: NetBSD Security Officer: "[Full-Disclosure] NetBSD Security Advisory 2003-004: Format string vulnerability in zlib gzprintf()"
- In reply to: Dr. Peter Bieringer: "[Full-Disclosure] Check Point FW-1 NG FP3 & FP3 HF1: DoS attack against syslog daemon possible"
- Next in thread: Dr. Peter Bieringer: "[Full-Disclosure] Re: Check Point FW-1: attack against syslog daemon possible"
- Reply: Dr. Peter Bieringer: "[Full-Disclosure] Re: Check Point FW-1: attack against syslog daemon possible"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
