Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Check Point SmartDashboard Buffer Overflow

From: "Andreas Constantinides (MegaHz)" <megahz () megahz org>
Date: Thu, 25 Mar 2004 03:20:07 +0200
MegaHz Security Advisory
19/03/2004

Check Point SmartDashboard Buffer Overflow



Summary
===================

        The Check Point Smartview Tracker which is the log viewer for Check
Point Firewall-1        is suffering from buffer overflow vulnerabilities to
various of its fields.

Systems Affected
===================

        This vulnerability exists in Check Point NG AI R54/R55
        And maybe other versions too.


Details
===================

The vulnerability:
        Open Check Point Smartview Tracker, and construct a filter on any
column. 
        Filter that column by a 30000 (character size) string. 
        When you add that filter and the Tracker starts to filter the logs it
stops and               popups a message "Server is disconnected!"
        When you click on OK then all the open Check Point management gui
(SmartDashboard,                Smartview Tracker, Smartview Monitor etc) are
automatically close.
        If you have made any changes on your firewall policy then it popups
another message                 that no changes will be saved.

What was not checked:
        The case in which more than one Smartview Tracker windows                       are open
on different machines and connected on the same Smartcenter and one of
them    exploits this vulnerability. Are all the clients going to be
disconnected.
        
        The details collumn also suffers from this vulnerability. What about if
some one is     exploiting a webserver using a manual 30000 character http
address request. The            smartdefense of the firewall will block it (as
normal long request). But what is       going to show in the details collumn?
If it shows the whole string is it going to     show it? or disconnect you
every time you will try to view it? (This is an extreme                 scenario but
probably could happen)
        

Solution
===================

    The vendor has been informed.







===================
===================

        Discovered by: Andreas Constantinides (MegaHz)
        My email: megahz () megahz org
        My web page: www.megahz.org
Previous By Date Next
Previous By Thread Next

Current thread: