Bugtraq mailing list archives

Re: Check Point response to RDP Bypass

From: Jochen Bauer <jtb () inside-security de>
Date: Wed, 11 Jul 2001 20:45:11 +0200

On Wed, Jul 11, 2001 at 11:41:23AM +0200, Johan Lindqvist wrote:

The original advisory 
(http://www.inside-security.de/advisories/fw1_rdp.html) says that a 
workaround is to "Deactivate implied rules in the Check Point policy editor 
(and build your own rules for management connections).". I've not been able 
to find any changes in the INSPECT code generated to confirm that not using 
the implied rules from "Policy/properties/Security policy/Implied 
rules/Accept VPN-1 & FireWall-1 Control Connection"


Hmm.. strange. I cannot reproduce this. Here's the test i carried out:

I set up a policy with all implied rules, the policy file w_control.W 
is attached to this mail. From this policy the INSPECT file w_control.pf
was generated (also attached). The relevant part of this file is:

[...]
#define REVERSE_UDP 1
#include "code.def"
accept_fw1_connections;  <-----
accept_proxied_conns;
enable_radius_queries;
enable_tacacs_queries;    
[...]

accept_fw1_connections is defined in $FWDIR/lib/base.def:

#define accept_fw1_connections accept_fw1_connections1 accept_fw1_connections2
        accept_fw1_connections3

and the macro "accept_fw1_connections3" includes "accept_fw1_rdp" which is 
the flawed macro. 

#define accept_fw1_connections3                                         
        [...]
        accept_fw1_rdp;


So, the RDP vulnerability finally comes into the INSPECT 
file "w_control.pf" with the macro "accept_fw1_connections". 

However, if i go to the policy editor and uncheck policy->properties->
Security Policy->Implied Rules->VPN-1 & FireWall-1 Control Connections and 
re-compile the policy (wo_control.W, see attachment), i get an INSPECT file 
(wo_control.pf, see attachment) that does not make use of  
"accept_fw1_connections" and does therefore not lead to this vulnerability. 

I've also tested this with our proof of concept code. (BTW: I'm going to 
post this code tomorrow on BUGRAQ)

Can you post the policy and INSPECT files you generated?

Jochen
-- 
Jochen Bauer                        |    Tel: +49711 6868 7030 
Inside Security IT Consulting GmbH  |    Fax: +49711 6868 7031
Nobelstr. 15                        |    email: jtb () inside-security de
70569 Stuttgart, Germany            |    http://www.inside-security.de

Attachment: w_control.W
Description:

Attachment: w_control.pf
Description:

Attachment: wo_control.W
Description:

Attachment: wo_control.pf
Description:

Current thread:

Check Point response to RDP Bypass aleph1 (Jul 09)
- <Possible follow-ups>
- Re: Check Point response to RDP Bypass Johan Lindqvist (Jul 11)
  - Re: Check Point response to RDP Bypass Jochen Bauer (Jul 11)
  - Re: Check Point response to RDP Bypass Hugo van der Kooij (Jul 12)
- RE: Check Point response to RDP Bypass Clarke, Paul [IT] (Jul 15)