The OpenNET Project
 
Search (keywords):  SOFT ARTICLES TIPS & TRICKS SECURITY
LINKS NEWS MAN DOCUMENTATION


Bug in remote GUI access in CheckPoint Firewall


<< Previous INDEX Search src Set bookmark Go to bookmark Next >>
Date: 8 Sep 2001 01:40:42 -0000
From: [email protected]
To: [email protected]
Subject: Bug in remote GUI access in CheckPoint Firewall

There is a bug in how the desktop GUI for managing 
 a CheckPoint firewall handles log viewer saves. 
Regardless of the type of user defined for GUI 
access, the user can save the file to any 
directory they wish as well as a few other things. 
This has been verified from ver. 3.0b through ver. 
4.1 SP2. The vendor was contacted on 
January 30, 2001 and responded on February 1, 2001 
that they were looking into it. They have not 
responded to any emails since then in an attempt 
to get status information with regards to this 
bug. I have since then verified that ver. 4.1 SP3 
also contains the bug.

Below in dashes is contents of the email sent to 
the vendor:

--------------------------------------------------

Check Point Firewall-1 ver. 3.0b through 4.1 SP2 
on the Solaris 2.6-2.7 (latest patches) platform

BUG found on 01/26/01 by Alan Darien, 
SecureTrendz, Inc. 

Product:	Check Point Firewall-1 ver. 3.0b 
through 4.1 SP2
Platform:	Sun Microsystem Ultra-2
Operating System:	Solaris 2.6 and Solaris 
2.7 with latest patches

I have found a bug that exists in all versions of 
Check Point Firewall. I have verified it in ver. 
3.0b, ver. 4.0 and ver. 4.1 with SP2.  The bug is 
local to the firewalled workstation.

Description:
As a remote administrative user with write 
privileges of the Firewall using the remote 
GUI-client Log Viewer application, I can cause 
potential DoS actions.

I can create and overwrite any file anywhere on 
the system except the active log file (fw.log). 
Under Firewall ver. 3.0b and ver. 4.0, I can also 
do this with Monitor, Read-Only and User-Edit 
privileges. I must log onto the GUI with a given 
user id but the process is actually run as the 
root user on the firewalled system.

Examples:

1. As a firewall administrator with no login 
access to the firewall management station (which 
can be the same as the firewall server), I can use 
the GUI-client to create or overwrite a file by 
launching the Log Viewer and saving my selection 
under File->Save As. I am not prevented from 
inputting a saved location such as: /etc/shadow. 
Nor am I prompted that the file may already exist 
and do I want to overwrite it IF I save to a 
directory other than /etc/fw/log. In the above 
case, a file will be created on the firewall 
management station as /etc/shadow.log. NOTE: The 
".log" extension is automatically appended to the 
saved file. Because of this, I can corrupt certain 
log files (i.e. vold.log, I know┘BFD!) and any 
other log files that may have been defined by the 
system administrative team that ends in ".log". 
This assumes that I know of those files. 

a) Launch the firewall GUI-client and open the Log 
viewer.
b) Save the selection (can narrow the selection if 
you wish) as /var/adm/vold
c) Now see that I have created (or overwritten) a 
/var/adm/vold.log file, with a file of type "data"
d) By doing the above with a large log file, a 
smaller filesystem can be filled up as well
e) Or I can overwrite exported log files as well


As I will show in the next example, it can get 
worse.

2. As a firewall administrator with non-root login 
access to the firewall management station (which 
can be the same as the firewall server), I can use 
the GUI-client to create or overwrite a file by 
launching the Log Viewer and saving my selection 
under File->Save As. Again, I am not prompted that 
the file exists if I save to another directory 
than /etc/fw/log. Now, it gets a worse. As a user 
with non-root login access I can go to /tmp and 
create a link file such as:
a) ln -s /.rhosts /tmp/trythis.log
b) Launch the firewall GUI-client and open the Log 
viewer.
c) Save the selection (can narrow the selection if 
you wish) as /tmp/trythis
d) Now see that I have created a /.rhosts file, 
allbeit a file of type "data"
e) Now create another link: ln -s /etc/shadow 
/tmp/trythis.log
f) Repeat steps b-c
g) Now see that I have overwritten the /etc/shadow 
file with data, can we say DoS to system 
administrators

The system administrators are forced to boot to 
CD-Rom and fix the password files. 

Fixes:
1. Prevent the use of "/" absolute directory input 
in the File-> Save As option. This forces all 
saves to the default location only. This is 
actually what you do for saves from the Policy 
Editor, so you already have the code for checking 
for this in-house. 
2. Prevent the ability to overwrite any existing 
files. At the least there should always be a 
prompt if the file already exists and this will 
prevent files from being overwritten as well as 
any link files that may already exist.
3. Upgrade to ver. 4.1 SP2 and only give Firewall 
GUI access to administrators who also have 
superuser access to the firewalled operating 
system. 

--------------------------------------------------

As I mentioned above, ver. 4.1 SP3 also contains 
the bug. So upgrading won't fix it BUT is still 
good to do to stay current.

  -  Alan Darien

<< Previous INDEX Search src Set bookmark Go to bookmark Next >>



Партнёры:
PostgresPro
Inferno Solutions
Hosting by Hoster.ru
Хостинг:

Закладки на сайте
Проследить за страницей
Created 1996-2024 by Maxim Chirkov
Добавить, Поддержать, Вебмастеру