Re: Possible security hole

[robert.stahlbrand () AC SALCOM SE (Robert Ståhlbrand)]

As a reseller of FW-1 I think I should add something to this discussion.

It is indeed possible to do something bad during this time. You have
about 10 seconds when the FW-1 answers ping and if you portscan for
something that you know is open on the machine (of course, a correct
configured FW-1 has no services available) you will see that you can
reach this service for about 2-3 seconds.
I tried to delay the FW-1 so that we could have some more time then just
2-3 seconds with a combination of a ping- and fragmentation-flood and
yes, I got more time. About 20-30 seconds.
During this time the machine is very slow but I succeeded to do
something "bad" on this time since I mapped the c: which is shared by
default on NT.
What I could have done more was to replace the binary for the rule-set
with a "any any any accept" rule-base and NOW we've done something bad!

I also tried to route packets through the FW-1 during this period but
did not succeed.

It's not very hard no write a program in for example perl to do all the
above automatically. You got to know the login-name for administrator
and the password of course so we got to have that first.
What we also want is to be able to reboot the FW-1/NT-server remotly
with some kind of DoS-attack but this is indeed possible when running on
NT. No details here but there are problems in NT that causes the machine
to BSoD. I'm pretty sure that someone soon will post something about
this issue 8-).

I've recently been in touch with Checkpoint regarding this issue and
their answer is that they cannot control this because of the underlaying
operating system. What they can control is IP Forwarding (thank god).

So what do we learn?
1) Don't run FW-1 on NT.
2) If you do it anyway, be very careful with the configuration and strip
it from every service not needed!!!!!!

Cheers,
Robert Ståhlbrand, Salcom AB

Cristiano Lincoln Mattos wrote:

> Quoting Christoforos Karatzinis <chka () SOLUTIONS IE>:
>
> Hi,
>      The FW1 documentation clearly states that there is
> a small delay after the interface initialize's and the
> FW starts acting on it.  It is possible to do something
> "bad" to it in this period...
>
> Regards,
> Cristiano Lincoln Mattos
> Recife / Brazil
>
> > The first 25 packets were lost before the interface's
> initialization. The
> > packets with sequence number greater than 34 are droped
> from the firewall.
> > What about the packets with sequence number 25-34? Is it
> possible that
> > someone can use this time (after the interface's
> initialization and before
> > the firewall's initialization) to do something bad?
> >
> > Regards,
> > Christofer