Bugtraq mailing list archives
Re: CheckPoint FW1 BUG
From: Hugo.van.der.Kooij () CAIW NL (Hugo.van.der.Kooij () CAIW NL)
Date: Sat, 15 Jul 2000 00:44:45 +0200
On Fri, 14 Jul 2000, uh Clem wrote:
On Fri, 14 Jul 2000 Hugo.van.der.Kooij () caiw nl wrote:The first thing to do is to strip the host the FW-1 software is to be installed on. Securing the OS before even starting to install the firewall is essential.When the firewall itself is dependant upon service being active, this is somewhat difficult. See below.
FW-1 does not depend on any of these services! So they shouldn't be left alive. Lance Spitzner wrote an article on how you should harden the system. (Basically removing all those services.) See also: http://www.enteract.com/~lspitz/papers.html
After installation you should secure the FW-1 software from any access to the machine you don't explicitly want. Always pay attention to the implied rules which can be made visible and should be thoroughly checked.One of the other things we observed was the extremely poor state of permissions that Firewall-1's installation leaves things in. As far as I could tell, there was no option to run the firewall services as an alternate user besides SYSTEM. Some would argue this is necessary, but it really isn't; NT provides well documented APIs for adding specific priviledges to a given user's token. These kind of mistakes are generally present in win32 software written by people who haven't bothered to learn the platform.
The vision is that this machine is a dedicated firewall. So no services should be running. I'm unfamiliar with NT internals but it needs to intervene on a rather low level (between NIC and IP stack) and wether such an installation would be feasible without running as administrators is unknown to me.
However it is quite unclear why accessing a port would cause a firewall process to 100%. But FW-1 v4.0 SP4 is NOT certified for NT 4.0 SP6a and it is recommended you upgrade to FW-1 v4.0 SP6 asap.Ports 1030-103x are where registered RPC services are listening, much like 32767-328xx on Solaris. The ports are assigned by the RPC mapper (port 135 on NT, port 111 on Solaris) in the order the RPC services are started. What I think is happening here is that the firewall-1 service in question is running as an RPC service (frightening, eh?) and only expects local connections.
FW-1 does not use RPC itself at all. I've seen a couple of dozen of installations of FW-1 on just about any platform (besides Linux at present ;-) an know it runs on very bare systems. Hugo. -- Hugo van der Kooij; Oranje Nassaustraat 16; 3155 VJ Maasland hvdkooij () caiw nl http://home.kabelfoon.nl/~hvdkooij/ -------------------------------------------------------------- Quoting this tagline is illegal! (http://www.dtcc.edu/cs/rfc1855.html)
Current thread:
- Re: CheckPoint FW1 BUG NHC Research (Jul 13)
- Re: CheckPoint FW1 BUG Hugo.van.der.Kooij () CAIW NL (Jul 14)
- Re: CheckPoint FW1 BUG uh Clem (Jul 14)
- Re: CheckPoint FW1 BUG Hugo.van.der.Kooij () CAIW NL (Jul 14)
- Re: CheckPoint FW1 BUG Jon Paul, Nollmann (Jul 17)
- Re: CheckPoint FW1 BUG Benjamin Smee (Jul 19)
- HP Jetdirect - Invalid FTP Command DoS Peter Grundl (Jul 19)
- Re: CheckPoint FW1 BUG Per Hoff (Jul 19)
- Alert: Buffer Overrun is O'Reilly WebsitePro httpd32.exe (CISADV000717) Cerberus Security Team (Jul 19)
- Alert: Buffer Overrun is O'Reilly WebsitePro webfind.exe (CISADV000718) Cerberus Security Team (Jul 19)
- Outlook exploit fix opens old hole? Ben (Jul 19)
- [COVERT-2000-08] O'Reilly WebSite Professional Overflow COVERT Labs (Jul 19)
- Security Fix for Blackboard CourseInfo 4.0 aleph1 () securityfocus com (Jul 19)
- [TL-Security-Announce] wu-ftpd TLSA2000014-1 Joe Little (Jul 19)
- Re: CheckPoint FW1 BUG uh Clem (Jul 14)
- Re: CheckPoint FW1 BUG Hugo.van.der.Kooij () CAIW NL (Jul 14)