|
Brought to you by:
Suppliers of:
|
|
|
| |
As a remote administrative user with write privileges of the Firewall using the remote GUI-client Log Viewer application, you can launch a potential DoS attack on the firewall.
You can also create and overwrite any file anywhere on the system except the active log file (fw.log). Under Firewall version 3.0b and version 4.0, you can also do this with Monitor, Read-Only and User-Edit privileges. Though you must log onto the GUI with a given user id the process is actually executed as the root user on the firewalled system. |
| |
Credit:
The information has been provided by Adarien.
|
| |
Vulnerable systems:
Check Point Firewall-1 version 3.0b through 4.1 SP2 (not including)
Examples:
1. As a firewall administrator with no login access to the firewall management station (that can be the same as the firewall server), you can use the GUI-client to create or overwrite a file by launching the Log Viewer and saving my selection under File->Save As. You are not prevented from inputting a saved location such as: /etc/shadow. Nor are you prompted that the file may already exist and whether you want to overwrite it (If you save to another directory than /etc/fw/log). NOTE: The ".log" extension is automatically appended to the saved file.
Because of this, you can corrupt certain log files (i.e. vold.log) and any other log files that may have been defined by the system administrative team that ends in ".log". This assumes that you know of the existence of those files.
Steps to recreate:
a) Launch the firewall GUI-client and open the Log viewer.
b) Save the selection (can narrow the selection if you wish) as /var/adm/vold
c) Now see that you have created (or overwritten) a /var/adm/vold.log file, with a file of type "data"
d) By doing the above with a large log file, a smaller file system can be filled up as well
e) Or you can overwrite exported log files as well
As you will see in the next example, it can get worse.
2. As a firewall administrator with non-root login access to the firewall management station (which can be the same as the firewall server), you can use the GUI-client to create or overwrite a file by launching the Log Viewer and saving my selection under File->Save As. Again, you are not prompted that the file exists (If you save to another directory than /etc/fw/log). Now, it gets a worse. As a user with non-root login access you can go to /tmp and create a link file such as:
a) ln -s /.rhosts /tmp/trythis.log
b) Launch the firewall GUI-client and open the Log viewer.
c) Save the selection (can narrow the selection if you wish) as /tmp/trythis
d) Now see that you have created a /.rhosts file, a file of type "data"
e) Now create another link: ln -s /etc/shadow /tmp/trythis.log
f) Repeat steps b-c
g) Now see that you have overwritten the /etc/shadow file with data (A DoS attack).
Fixes:
Upgrade to version 4.1 SP2 and only give Firewall GUI access to administrators who also have superuser access to the firewalled operating system.
|
|
|
|
|
