Re: Firewall-1 Reserved Keywords Vulnerability

[paul_watson () IRIDIUM COM (Paul Watson)]

I recently received the following additional information regarding reserved
words/characters when using Firewall-1 objects.
======================================================================
A List of Characters and Reserved Words Forbidden to Use in FireWall-1 Objects
Definition.  You should definitely avoid using the following characters and
reserved words within FireWall-1 objects definition (i.e., Network Objects,
Users, Groups etc.):

Illegal characters:
String contains ' ' (space)
String contains '+'
String contains '*'
String contains '?'
String contains '('
String contains ')'
String contains '{'
String contains '}'
String contains '['
String contains ']'
String contains '!'
String contains '#'
String contains '<'
String contains '>'
String contains '='
String contains ',' (comma)
String contains ':' (colon)
String contains ';' (semicolon)
String contains ''' (quote)
String contains '`' (back quote)
String contains '"' (double quote)
String contains '/' (slash)
String contains '\' (back slash)
String contains '\t' (tab)

  INSPECT reserved words:

"accept" "expcall" "hosts" "modify" "pass" "set"
"and" "expires" "if" "navy blue" "r_arg" "skippeer"
"black" "firebrick" "ifaddr" "netof" "r_cdir" "src"
"blue" "foreground" "ifid" "nets" "r_cflags" "static"
"broadcasts" "forest green" "in" "nexpires" "r_ckey" "sync"
"call" "format" "inbound" "not" "r_connarg" "targets"
"date" "from" "interface" "or" "r_ctype" "to"
"day" "fwline" "interfaces" "orange" "r_entry" "tod"
"define" "fwrule" "ipsecmethods" "origdport" "r_proxy_action" "ufp"
"delete" "gateways" "ipsecdata" "origdst" "r_tab_status" "vanish"
"direction" "get" "kbuf" "origsport" "r_xlate" "wasskipped"
"do" "gold" "keep" "origsrc" "record" "xlatedport"
"domains" "gray 101" "limit" "other" "red" "xlatedst"
"drop" "green" "log" "outbound" "refresh" "xlatesport"
"dst" "hold" "magenta" "packet" "reject" "xlatesrc"
"dynamic" "host" "medium slate blue" "packetid" "routers" "xor"

Scoped reserved words:

"gateways"
"host"
"netobj"
"resourceobj"
"routers"
"servobj"
"servers"
"tracks"
"targets"
"ufp"

Colors reserved words:

"black"
"blue"
"cyan"
"dark green"
"dark orchid"
"firebrick"
"foreground"
"forest green"
"gold"
"gray 101"
"green"
"magenta"
"medium slate blue"
"navy blue"
"orange"
"red"
"sienna"
"yellow"

-Paul Watson
+-------------------------+---------------------------------+
| Paul Watson             | Senior Network Security Engineer|
|                         | IRIDIUM LLC                     |
| paul_watson () iridium com | "One World, One Phone!"         |
+-------------------------+---------------------------------+

Aleph One wrote:
> This vulnerability in Firewall-1 has been made public by CheckPoint
> but hasn't been well publicized.
>
> Most of this information is taken verbatim from the CheckPoint web page
> on this issue. You can find this page at
> http://www.checkpoint.com/techsupport/config/keywords.html
>
> Summary:
>
> If you use one of several reserved keywords to represent any user defined
> object in a rule the default definition of "ANY" will be used instead.
> This behavior may grant (or deny) access to a greater number of addresses
> or services than expected.
>
> Description:
>
> The following keywords should not be used to represent any user defined
> object in a FireWall-1 installation:
>
>          Short, Long, Account, Alert, SnmpTrap, Mail, UserDefined, spoof,
>          spoofalert, Auth, AuthAlert, Duplicate basewin, serviceswin,
>          netobjwin, viewwin, users, resources, time, true, false, last,
>          first, status_alert, fwalert
>
> If any of these keywords are used to represent either a network or a
> service object and are subsequently used in a security policy, FireWall-1
> will interpret the object definition as "undefined". If no other object is
> used either in the source/destination or service field of the rule, then
> the default address definition of "ANY" is used for that particular field.
>
> Note that in practice only objects in the "tracking" menu of type "alert"
> seem to behave this way. Objects such as "Long", of type "log", do not
> show this behavior.
>
> Example:
>
> If you have a rule that allows SMTP access to a machine called "Mail" on
> your DMZ you are actually giving SMTP access to any machines behind the
> firewall.
>
> Recommendations
>
> If any of these keywords are defined as network objects or service objects
> and used in a rule base, then the object should be renamed and the
> security policy reloaded.
>
> Additional Notes
>
> Mechanisms are being built into future releases of FireWall-1 to prevent
> using these keywords as user defined objects.
>
> Aleph One / aleph1 () dfw net
> http://underground.org/
> KeyID 1024/948FD6B5
> Fingerprint EE C9 E8 AA CB AF 09 61  8C 39 EA 47 A8 6A B8 01

--