[NEWS] Bug in Compile Portion of Older Versions of Checkpoint Firewall-1
From: support@securiteam.comDate: 09/14/01
- Previous message: support@securiteam.com: "[NT] Malformed Request to RPC Endpoint Mapper Causes RPC Service to Fail"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: support@securiteam.com To: list@securiteam.com Subject: [NEWS] Bug in Compile Portion of Older Versions of Checkpoint Firewall-1 Message-Id: <20010914110316.246B2138BF@mail.der-keiler.de> Date: Fri, 14 Sep 2001 13:03:16 +0200 (CEST)
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -
Bug in Compile Portion of Older Versions of Checkpoint Firewall-1
------------------------------------------------------------------------
SUMMARY
When a Firewall Policy is compiled, Firewall compilation creates a
temporary file in /tmp with the policy name and ".cpp" appended to it. The
access mode of the file is rw-rw-rw- (666). A user can elevate their
access levels by exploiting this knowledge.
DETAILS
Vulnerable systems:
Check Point Firewall-1 version 3.0b through 4.0 SP1
Immune systems:
Check Point Firewall-1 version 4.0 SP2
If you have remote administrative access to a firewall with write
privileges, but only low privileges on the firewalled workstation, you
can:
1. Add the login service (rlogin) to the rule containing FW management for
the workstation
2. Create a link file in /tmp with the policyname.cpp to /.rhosts
3. Install the modified policy and then edit /.rhosts to include a "+" to
the specific desktop
4. Login as root to the workstation at anytime without having to modify
the password or shadow files
5. If the system only allows root login at the console, you just add a
step or two to the above to overwrite /etc/default/login, add the
necessary entries
Scenarios:
There are a couple of scenarios that come to mind, in which the above can
take place.
1. Rookie firewall administrators are given GUI access to the firewall to
do firewall administration. They have been trained to add rules, create
objects, and install policies but are not trusted to have superuser access
to the system. They do not know directory structure layout, system
configuration, etc. but have been given administrative group access to do
backups and such.
2. Two (or more groups) administer the system at different levels. One
group handles all system matters: configurations, backups, trouble-shoot
and the other handles solely firewall issues: rule additions/deletions,
object creations, policy generation.
Fixes:
1. Upgrade to latest Check Point Firewall version 4.1 and latest service
pack. Check Point Firewall version 4.0 SP2 and higher places the work for
the policy compiles under the firewall directory structure that is
accessible only by the superuser (if installed properly).
ADDITIONAL INFORMATION
The information has been provided by <mailto:adarien@securetrendz.com>
Alan Darien, SecureTrendz, Inc.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Previous message: support@securiteam.com: "[NT] Malformed Request to RPC Endpoint Mapper Causes RPC Service to Fail"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
