Bugtraq mailing list archives
Re: CheckPoint FW1 BUG
From: Hugo.van.der.Kooij () CAIW NL (Hugo.van.der.Kooij () CAIW NL)
Date: Fri, 14 Jul 2000 22:19:01 +0200
On Thu, 13 Jul 2000, NHC Research wrote:
While doing some testing on Firewall-1 4.0 NT SP4 a few months ago, we came across a similar situation. We felt it was not worthy of an advisory because it is effectively a misconfiguration issue, although it is the default configuration upon initial install. Scenario: One firewall machine, 2 NICs (one for untrusted net, one for trusted net). Configuration: NT 4.0 SP6a Firewall-1 NT 4.0 SP4 Steps 2 Repro: 1. Install FW-1, define one subnet for each physical NIC. 2. From either network, send a SYN packet to the IP of the firewall, port 1032. ('telnet firewallip 1032', or 'nmap -sS -p 1032 firewallip')
TCP port 1032 is not used by FW-1 in any version I've seen (v3.0b to present v4.1SP1) and must therefor be a NT port or some other software on the NT machine. I'm unaware of a tool like lsof to see who 'owns' the port on NT.
Result: One of the running instances of the fw.exe service goes to 100%. Why is this not a bug? Because the first thing the "wizard" does for you is to block all traffic directly to the firewall, this should not be an issue for most people. This is a really good thing, because FW-1 listens on an obscene number of ports in a default installation.
The first thing to do is to strip the host the FW-1 software is to be installed on. Securing the OS before even starting to install the firewall is essential. After installation you should secure the FW-1 software from any access to the machine you don't explicitly want. Always pay attention to the implied rules which can be made visible and should be thoroughly checked. However it is quite unclear why accessing a port would cause a firewall process to 100%. But FW-1 v4.0 SP4 is NOT certified for NT 4.0 SP6a and it is recommended you upgrade to FW-1 v4.0 SP6 asap. Hugo. PS: I guess you mean by "wizard" a person and not those pesty things in some software products that try to make simple things look much more complicated ;-) -- Hugo van der Kooij; Oranje Nassaustraat 16; 3155 VJ Maasland hvdkooij () caiw nl http://home.kabelfoon.nl/~hvdkooij/ -------------------------------------------------------------- Quoting this tagline is illegal! (http://www.dtcc.edu/cs/rfc1855.html)
Current thread:
- Re: CheckPoint FW1 BUG NHC Research (Jul 13)
- Re: CheckPoint FW1 BUG Hugo.van.der.Kooij () CAIW NL (Jul 14)
- Re: CheckPoint FW1 BUG uh Clem (Jul 14)
- Re: CheckPoint FW1 BUG Hugo.van.der.Kooij () CAIW NL (Jul 14)
- Re: CheckPoint FW1 BUG Jon Paul, Nollmann (Jul 17)
- Re: CheckPoint FW1 BUG Benjamin Smee (Jul 19)
- HP Jetdirect - Invalid FTP Command DoS Peter Grundl (Jul 19)
- Re: CheckPoint FW1 BUG Per Hoff (Jul 19)
- Alert: Buffer Overrun is O'Reilly WebsitePro httpd32.exe (CISADV000717) Cerberus Security Team (Jul 19)
- Alert: Buffer Overrun is O'Reilly WebsitePro webfind.exe (CISADV000718) Cerberus Security Team (Jul 19)
- Outlook exploit fix opens old hole? Ben (Jul 19)
- [COVERT-2000-08] O'Reilly WebSite Professional Overflow COVERT Labs (Jul 19)
- Re: CheckPoint FW1 BUG uh Clem (Jul 14)
- Re: CheckPoint FW1 BUG Hugo.van.der.Kooij () CAIW NL (Jul 14)