Bugtraq mailing list archives

Re: CheckPoint FW1 BUG

From: Hugo.van.der.Kooij () CAIW NL (Hugo.van.der.Kooij () CAIW NL)
Date: Fri, 14 Jul 2000 22:19:01 +0200


On Thu, 13 Jul 2000, NHC Research wrote:

While doing some testing on Firewall-1 4.0 NT SP4 a few months ago, we
came across a similar situation. We felt it was not worthy of an advisory
because it is effectively a misconfiguration issue, although it is the
default configuration upon initial install.

Scenario:
One firewall machine, 2 NICs (one for untrusted net, one for trusted net).

Configuration:
NT 4.0 SP6a
Firewall-1 NT 4.0 SP4

Steps 2 Repro:
1. Install FW-1, define one subnet for each physical NIC.
2. From either network, send a SYN packet to the IP of the firewall, port
1032. ('telnet firewallip 1032', or 'nmap -sS -p 1032 firewallip')


TCP port 1032 is not used by FW-1 in any version I've seen (v3.0b to
present v4.1SP1) and must therefor be a NT port or some other software on
the NT machine.

I'm unaware of a tool like lsof to see who 'owns' the port on NT.

Result:
      One of the running instances of the fw.exe service goes to 100%.

Why is this not a bug?
      Because the first thing the "wizard" does for you is to block all
traffic directly to the firewall, this should not be an issue for most
people. This is a really good thing, because FW-1 listens on an obscene
number of ports in a default installation.


The first thing to do is to strip the host the FW-1 software is to be
installed on. Securing the OS before even starting to install the firewall
is essential.

After installation you should secure the FW-1 software from any access to
the machine you don't explicitly want. Always pay attention to the implied
rules which can be made visible and should be thoroughly checked.

However it is quite unclear why accessing a port would cause a firewall
process to 100%. But FW-1 v4.0 SP4 is NOT certified for NT 4.0 SP6a and it
is recommended you upgrade to FW-1 v4.0 SP6 asap.

Hugo.

PS: I guess you mean by "wizard" a person and not those pesty things in
some software products that try to make simple things look much more
complicated ;-)

--
Hugo van der Kooij; Oranje Nassaustraat 16; 3155 VJ  Maasland
hvdkooij () caiw nl     http://home.kabelfoon.nl/~hvdkooij/
--------------------------------------------------------------
Quoting this tagline is illegal! (http://www.dtcc.edu/cs/rfc1855.html)

Current thread:

Re: CheckPoint FW1 BUG NHC Research (Jul 13)
- Re: CheckPoint FW1 BUG Hugo.van.der.Kooij () CAIW NL (Jul 14)
  - Re: CheckPoint FW1 BUG uh Clem (Jul 14)
    - Re: CheckPoint FW1 BUG Hugo.van.der.Kooij () CAIW NL (Jul 14)
    - Re: CheckPoint FW1 BUG Jon Paul, Nollmann (Jul 17)
    - Re: CheckPoint FW1 BUG Benjamin Smee (Jul 19)
    - HP Jetdirect - Invalid FTP Command DoS Peter Grundl (Jul 19)
    - Re: CheckPoint FW1 BUG Per Hoff (Jul 19)
    - Alert: Buffer Overrun is O'Reilly WebsitePro httpd32.exe (CISADV000717) Cerberus Security Team (Jul 19)
    - Alert: Buffer Overrun is O'Reilly WebsitePro webfind.exe (CISADV000718) Cerberus Security Team (Jul 19)
    - Outlook exploit fix opens old hole? Ben (Jul 19)
    - [COVERT-2000-08] O'Reilly WebSite Professional Overflow COVERT Labs (Jul 19)

(Thread continues...)