Bugtraq mailing list archives
Vulnerabilities in Checkpoint FW-1 version 3.x and maybe 4.x
From: saintjon () SYSCONN COM (root)
Date: Fri, 21 Jan 2000 09:31:38 -0500
There are two vulnerabilities in FW-1. The first is an authentication issue, the other is a configuration issue. Since I don't have a copy of 4.x FW-1 handy maybe someone can check it for me. #1 The basic authentication used in Checkpoint FW-1 used for inside/outbound and outside/inbound allows unlimited attempts to authenticate without a timeout or disconnect between unsuccessful attempts. To make matters worse, the attempt at authentication will let you know if you have the wrong username before you are allowed to enter in the passsword. The exploit is trivial, grind away at user names until you hit one that works and then grind away at passwords with the username you just found until you find one that works. For an example of this, set authentication on the FW-1 software to authenticate telnet connections. Telent to a destination past the firewall, when prompted for a username, pound away. A script could crack the authentication in a very short time. The workaround is to use Checkpoint's encrypted authentication program "SecuRemote" and not allow clear text authentication (browser based, telnet, etc.) to destinations beyond the firewall. #2 The default configuration in FW-1 allows for rlogin management of the server. The rlogin prompt is avaialable on all NICs. Unless a rule is placed in your ruleset to drop or reject all connections to the firewall, the authentication problem above can be used to remotely administer someone elses firewall without them knowing. The workaround is to include the rule.
Current thread:
- Re: IIS still revealing paths for web directories, (continued)
- Re: IIS still revealing paths for web directories Taneli Huuskonen (Jan 15)
- Fwd: Crash identified in Notes, Domino, and MTA with Date Conversio ns Xander Teunissen (Jan 14)
- Re: IIS still revealing paths for web directories Norbert Luckhardt (Jan 15)
- usual iploggers miss some variable stealth scans vecna (Jan 17)
- Re: usual iploggers miss some variable stealth scans Simple Nomad (Jan 17)
- AW: usual iploggers miss some variable stealth scans Tobi (Jan 18)
- AW: usual iploggers miss some variable stealth scans Tobi (Jan 19)
- Warning: VCasel security hole. bob mare (Jan 18)
- Re: usual iploggers miss some variable stealth scans Alec Kosky (Jan 18)
- Re: usual iploggers miss some variable stealth scans Andrea Gho (Jan 20)
- Vulnerabilities in Checkpoint FW-1 version 3.x and maybe 4.x root (Jan 21)
- *BSD procfs vulnerability FEAR Advisories (Jan 21)
- Re: *BSD procfs vulnerability Theo de Raadt (Jan 23)
- stream.c/raped.c tests (just for stats) Vanja Hrustic (Jan 21)
- Microsoft Security Bulletin (MS00-004) Microsoft Product Security (Jan 21)
- Re: Vulnerabilities in Checkpoint FW-1 version 3.x and maybe 4.x Vanja Hrustic (Jan 22)
- Re: Vulnerabilities in Checkpoint FW-1 version 3.x and maybe 4.x Markus Hofmann (Jan 22)
- Administrivia Elias Levy (Jan 18)
- Info on some security holes reported against SCO Unixware. Aaron Sigel (Jan 13)
- ssh-proxy, a new approach to firewall software Magosanyi Arpad (Jan 13)
- Re: Hotmail security hole - injecting JavaScript using <IMG Ajax (Jan 11)