RE: Checkpoint FW-1 on Nokia - potential user enumeration bug?

From: Christopher Lyon (cslyon@netsvcs.com)
Date: 01/09/03

  • Next message: Ralph Los: "MS Terminal Services open to the world"
    Date: Wed, 8 Jan 2003 16:53:00 -0800
    From: "Christopher Lyon" <cslyon@netsvcs.com>
    To: "Chris McNab" <chris.mcnab@trustmatta.com>, <pen-test@securityfocus.com>
    

    The version of IPSO that I am running 3.6 doesn't do what you are seeing
    below. So I would suggest upgrading it. Also, if you are able to telnet
    to the Nokia from the outside that is a bad thing! Since this box is
    based on a UNIX/Linux variant it could potentially have a few issues
    with enumeration and or issues with telnet or dictionary attacks. IPSO
    is a hardened OS and is striped down to a basic level but there are a
    few things still left on it. There are default accounts on the Nokia
    they could be guessed. I would turn off telnet access, rename the
    default accounts, rename fw1adm and enable SSH. SSH just to give a
    little bit more security and the SSH daemon acts differently on bad user
    names and passwords. I would also lock down outside access to this the
    Nokia unless you need to remotely manage it. If you do need to manage it
    I would at least put your IP's in an allow list and run your tests from
    different addresses.

    Hope that helps.

    -----Original Message-----
    From: Chris McNab [mailto:chris.mcnab@trustmatta.com]
    Sent: Tuesday, January 07, 2003 4:55 PM
    To: pen-test@securityfocus.com
    Subject: Checkpoint FW-1 on Nokia - potential user enumeration bug?

    Hey,

    I was performing a pentest recently for a client, and found what seems
    to be
    a user enumeration bug within Nokia IPSO (unknown as to which version
    and
    patchlevel) running Checkpoint FW-1:

    pipex-gw>telnet xxx.xxx.xxx.xxx
    Trying xxx.xxx.xxx.xxx ... Open
       IPSO (checkpointcharlie) (ttyp0)
    login: root
    Password:
    Login incorrect
    login: blah
    Password:
    Login incorrect
    login: fw1adm
    Password:
    Password:
    Login incorrect
    login: fw1adm
    Password:
    Password:
    Login incorrect
    Login timed out after 300 seconds
    [Connection to xxx.xxx.xxx.xxx closed by foreign host]
    pipex-gw>

    Obviously the fw1adm user exists, being the standard account under
    FW-1..
    but I was wondering if anyone had seen this before, or even if this
    issue
    had been addressed by Nokia?

    Thanks,

    Chris

    Chris McNab
    Technical Director

    Matta Security Limited
    18 Noel Street
    London W1F 8GN

    Tel: 08700 77 11 00

    This e-mail was sent from Matta Security Limited. The information
    contained
    in this message is confidential, may be privileged, and is intended for
    the
    addressee(s) only. If you have received this message in error please
    notify
    the originator immediately. The unauthorised use, disclosure, copying or
    alteration of this message is strictly forbidden. Matta Security Limited
    does not warrant that any attachments are free from viruses or other
    defects. Matta Security Limited will not be liable for direct, special,
    indirect or consequential damages arising from alteration of the
    contents of
    this message by a third party or as a result of any virus being passed
    on.

    ------------------------------------------------------------------------

    ----
    This list is provided by the SecurityFocus Security Intelligence Alert
    (SIA)
    Service. For more information on SecurityFocus' SIA service which
    automatically alerts you to the latest security vulnerabilities please
    see:
    https://alerts.securityfocus.com/
    ----------------------------------------------------------------------------
    This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
    Service. For more information on SecurityFocus' SIA service which
    automatically alerts you to the latest security vulnerabilities please see:
    https://alerts.securityfocus.com/