[NEWS] Checkpoint Firewall-1 HTTP Parsing Format String Vulnerabilities

• Previous message: SecuriTeam: "[NEWS] Checkpoint VPN-1/SecureClient ISAKMP Buffer Overflow"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: list@securiteam.com
Date: 5 Feb 2004 19:07:08 +0200

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -

  Checkpoint Firewall-1 HTTP Parsing Format String Vulnerabilities
------------------------------------------------------------------------

SUMMARY

Format string vulnerabilities exist in the HTTP Application Intelligence
component of <http://www.checkpoint.com/products/protect/firewall-1.html>
FireWall-1. Application Intelligence is a relatively recent addition to
the Firewall-1 product line and functions as an application proxy between
untrusted networks and network servers for the purpose of detecting and
preventing potential attacks. The vulnerabilities also exist within the
HTTP Security Server application proxy.

The affected components contain several remotely exploitable format string
vulnerabilities. If HTTP Application Intelligence is enabled or the HTTP
Security Server is used, a remote attack could exploit the vulnerabilities
and execute arbitrary code with super-user privileges, usually SYSTEM or
root.

DETAILS

Vulnerable Systems:
 * Firewall-1 NG-AI R55, R54, including SSL hotfix
 * Firewall-1 HTTP Security Server included with NG FP1, FP2, FP3
 * Firewall-1 HTTP Security Server included with 4.1

CVE Information:
 <http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0039>
CAN-2004-0039

When issuing an invalid HTTP request it is possible to expose a situation
where a format string vulnerability exists. An error message is generated
in which a user may partially specify the format string to an sprintf()
call. One notable example is when an invalid scheme is given in the URI.
By providing format string specifiers, an attacker may corrupt memory and
execute arbitrary code with super-user privileges.

With a carefully constructed format string the vulnerability may be
exploited as a traditional heap overflow with the same results.
Unsuccessful exploit attempts will disrupt all established HTTP sessions
and stop Web traffic momentarily. Although on some platforms it is not
trivial to exploit this due to some restrictions on chatacters and length
of requests, a functional exploit has been developed by ISS (Internet
Security Systems).

Patch Availability:
Checkpoint has released an update to address this issue, available at
<http://www.checkpoint.com/techsupport/alerts/index.html>
http://www.checkpoint.com/techsupport/alerts/index.html

ADDITIONAL INFORMATION

The information has been provided by <mailto:weld@vulnwatch.org> Chris
Wysopal.

The original article can be found at:
<http://xforce.iss.net/xforce/alerts/id/162>
http://xforce.iss.net/xforce/alerts/id/162.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

• Previous message: SecuriTeam: "[NEWS] Checkpoint VPN-1/SecureClient ISAKMP Buffer Overflow"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]