[NEWS] Bug in Remote GUI Access in Checkpoint Firewall
From: support@securiteam.comDate: 09/10/01
- Previous message: support@securiteam.com: "[UNIX] Insecure Handling of Notes in Plastic.com's Slashcode"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: support@securiteam.com To: list@securiteam.com Subject: [NEWS] Bug in Remote GUI Access in Checkpoint Firewall Message-Id: <20010910053343.57A93138C0@mail.der-keiler.de> Date: Mon, 10 Sep 2001 07:33:43 +0200 (CEST)
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -
Bug in Remote GUI Access in Checkpoint Firewall
------------------------------------------------------------------------
SUMMARY
As a remote administrative user with write privileges of the Firewall
using the remote GUI-client Log Viewer application, you can launch a
potential DoS attack on the firewall.
You can also create and overwrite any file anywhere on the system except
the active log file (fw.log). Under Firewall version 3.0b and version 4.0,
you can also do this with Monitor, Read-Only and User-Edit privileges.
Though you must log onto the GUI with a given user id the process is
actually executed as the root user on the firewalled system.
DETAILS
Vulnerable systems:
Check Point Firewall-1 version 3.0b through 4.1 SP2 (not including)
Examples:
1. As a firewall administrator with no login access to the firewall
management station (that can be the same as the firewall server), you can
use the GUI-client to create or overwrite a file by launching the Log
Viewer and saving my selection under File->Save As. You are not prevented
from inputting a saved location such as: /etc/shadow. Nor are you prompted
that the file may already exist and whether you want to overwrite it (If
you save to another directory than /etc/fw/log). NOTE: The ".log"
extension is automatically appended to the saved file.
Because of this, you can corrupt certain log files (i.e. vold.log) and any
other log files that may have been defined by the system administrative
team that ends in ".log". This assumes that you know of the existence of
those files.
Steps to recreate:
a) Launch the firewall GUI-client and open the Log viewer.
b) Save the selection (can narrow the selection if you wish) as
/var/adm/vold
c) Now see that you have created (or overwritten) a /var/adm/vold.log
file, with a file of type "data"
d) By doing the above with a large log file, a smaller file system can be
filled up as well
e) Or you can overwrite exported log files as well
As you will see in the next example, it can get worse.
2. As a firewall administrator with non-root login access to the firewall
management station (which can be the same as the firewall server), you can
use the GUI-client to create or overwrite a file by launching the Log
Viewer and saving my selection under File->Save As. Again, you are not
prompted that the file exists (If you save to another directory than
/etc/fw/log). Now, it gets a worse. As a user with non-root login access
you can go to /tmp and create a link file such as:
a) ln -s /.rhosts /tmp/trythis.log
b) Launch the firewall GUI-client and open the Log viewer.
c) Save the selection (can narrow the selection if you wish) as
/tmp/trythis
d) Now see that you have created a /.rhosts file, a file of type "data"
e) Now create another link: ln -s /etc/shadow /tmp/trythis.log
f) Repeat steps b-c
g) Now see that you have overwritten the /etc/shadow file with data (A DoS
attack).
Fixes:
Upgrade to version 4.1 SP2 and only give Firewall GUI access to
administrators who also have superuser access to the firewalled operating
system.
ADDITIONAL INFORMATION
The information has been provided by <mailto:adarien@securetrendz.com>
Adarien.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Previous message: support@securiteam.com: "[UNIX] Insecure Handling of Notes in Plastic.com's Slashcode"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
