Date: 8 Sep 2001 01:40:42 -0000
From: [email protected]
To: [email protected]Subject: Bug in remote GUI access in CheckPoint Firewall
There is a bug in how the desktop GUI for managing
a CheckPoint firewall handles log viewer saves.
Regardless of the type of user defined for GUI
access, the user can save the file to any
directory they wish as well as a few other things.
This has been verified from ver. 3.0b through ver.
4.1 SP2. The vendor was contacted on
January 30, 2001 and responded on February 1, 2001
that they were looking into it. They have not
responded to any emails since then in an attempt
to get status information with regards to this
bug. I have since then verified that ver. 4.1 SP3
also contains the bug.
Below in dashes is contents of the email sent to
the vendor:
--------------------------------------------------
Check Point Firewall-1 ver. 3.0b through 4.1 SP2
on the Solaris 2.6-2.7 (latest patches) platform
BUG found on 01/26/01 by Alan Darien,
SecureTrendz, Inc.
Product: Check Point Firewall-1 ver. 3.0b
through 4.1 SP2
Platform: Sun Microsystem Ultra-2
Operating System: Solaris 2.6 and Solaris
2.7 with latest patches
I have found a bug that exists in all versions of
Check Point Firewall. I have verified it in ver.
3.0b, ver. 4.0 and ver. 4.1 with SP2. The bug is
local to the firewalled workstation.
Description:
As a remote administrative user with write
privileges of the Firewall using the remote
GUI-client Log Viewer application, I can cause
potential DoS actions.
I can create and overwrite any file anywhere on
the system except the active log file (fw.log).
Under Firewall ver. 3.0b and ver. 4.0, I can also
do this with Monitor, Read-Only and User-Edit
privileges. I must log onto the GUI with a given
user id but the process is actually run as the
root user on the firewalled system.
Examples:
1. As a firewall administrator with no login
access to the firewall management station (which
can be the same as the firewall server), I can use
the GUI-client to create or overwrite a file by
launching the Log Viewer and saving my selection
under File->Save As. I am not prevented from
inputting a saved location such as: /etc/shadow.
Nor am I prompted that the file may already exist
and do I want to overwrite it IF I save to a
directory other than /etc/fw/log. In the above
case, a file will be created on the firewall
management station as /etc/shadow.log. NOTE: The
".log" extension is automatically appended to the
saved file. Because of this, I can corrupt certain
log files (i.e. vold.log, I know┘BFD!) and any
other log files that may have been defined by the
system administrative team that ends in ".log".
This assumes that I know of those files.
a) Launch the firewall GUI-client and open the Log
viewer.
b) Save the selection (can narrow the selection if
you wish) as /var/adm/vold
c) Now see that I have created (or overwritten) a
/var/adm/vold.log file, with a file of type "data"
d) By doing the above with a large log file, a
smaller filesystem can be filled up as well
e) Or I can overwrite exported log files as well
As I will show in the next example, it can get
worse.
2. As a firewall administrator with non-root login
access to the firewall management station (which
can be the same as the firewall server), I can use
the GUI-client to create or overwrite a file by
launching the Log Viewer and saving my selection
under File->Save As. Again, I am not prompted that
the file exists if I save to another directory
than /etc/fw/log. Now, it gets a worse. As a user
with non-root login access I can go to /tmp and
create a link file such as:
a) ln -s /.rhosts /tmp/trythis.log
b) Launch the firewall GUI-client and open the Log
viewer.
c) Save the selection (can narrow the selection if
you wish) as /tmp/trythis
d) Now see that I have created a /.rhosts file,
allbeit a file of type "data"
e) Now create another link: ln -s /etc/shadow
/tmp/trythis.log
f) Repeat steps b-c
g) Now see that I have overwritten the /etc/shadow
file with data, can we say DoS to system
administrators
The system administrators are forced to boot to
CD-Rom and fix the password files.
Fixes:
1. Prevent the use of "/" absolute directory input
in the File-> Save As option. This forces all
saves to the default location only. This is
actually what you do for saves from the Policy
Editor, so you already have the code for checking
for this in-house.
2. Prevent the ability to overwrite any existing
files. At the least there should always be a
prompt if the file already exists and this will
prevent files from being overwritten as well as
any link files that may already exist.
3. Upgrade to ver. 4.1 SP2 and only give Firewall
GUI access to administrators who also have
superuser access to the firewalled operating
system.
--------------------------------------------------
As I mentioned above, ver. 4.1 SP3 also contains
the bug. So upgrading won't fix it BUT is still
good to do to stay current.
- Alan Darien