Bugtraq mailing list archives
Re: Firewall-1 Reserved Keywords Vulnerability
From: paul_watson () IRIDIUM COM (Paul Watson)
Date: Tue, 12 May 1998 16:50:27 -0400
I recently received the following additional information regarding reserved words/characters when using Firewall-1 objects. ====================================================================== A List of Characters and Reserved Words Forbidden to Use in FireWall-1 Objects Definition. You should definitely avoid using the following characters and reserved words within FireWall-1 objects definition (i.e., Network Objects, Users, Groups etc.): Illegal characters: String contains ' ' (space) String contains '+' String contains '*' String contains '?' String contains '(' String contains ')' String contains '{' String contains '}' String contains '[' String contains ']' String contains '!' String contains '#' String contains '<' String contains '>' String contains '=' String contains ',' (comma) String contains ':' (colon) String contains ';' (semicolon) String contains ''' (quote) String contains '`' (back quote) String contains '"' (double quote) String contains '/' (slash) String contains '\' (back slash) String contains '\t' (tab) INSPECT reserved words: "accept" "expcall" "hosts" "modify" "pass" "set" "and" "expires" "if" "navy blue" "r_arg" "skippeer" "black" "firebrick" "ifaddr" "netof" "r_cdir" "src" "blue" "foreground" "ifid" "nets" "r_cflags" "static" "broadcasts" "forest green" "in" "nexpires" "r_ckey" "sync" "call" "format" "inbound" "not" "r_connarg" "targets" "date" "from" "interface" "or" "r_ctype" "to" "day" "fwline" "interfaces" "orange" "r_entry" "tod" "define" "fwrule" "ipsecmethods" "origdport" "r_proxy_action" "ufp" "delete" "gateways" "ipsecdata" "origdst" "r_tab_status" "vanish" "direction" "get" "kbuf" "origsport" "r_xlate" "wasskipped" "do" "gold" "keep" "origsrc" "record" "xlatedport" "domains" "gray 101" "limit" "other" "red" "xlatedst" "drop" "green" "log" "outbound" "refresh" "xlatesport" "dst" "hold" "magenta" "packet" "reject" "xlatesrc" "dynamic" "host" "medium slate blue" "packetid" "routers" "xor" Scoped reserved words: "gateways" "host" "netobj" "resourceobj" "routers" "servobj" "servers" "tracks" "targets" "ufp" Colors reserved words: "black" "blue" "cyan" "dark green" "dark orchid" "firebrick" "foreground" "forest green" "gold" "gray 101" "green" "magenta" "medium slate blue" "navy blue" "orange" "red" "sienna" "yellow" -Paul Watson +-------------------------+---------------------------------+ | Paul Watson | Senior Network Security Engineer| | | IRIDIUM LLC | | paul_watson () iridium com | "One World, One Phone!" | +-------------------------+---------------------------------+ Aleph One wrote:
This vulnerability in Firewall-1 has been made public by CheckPoint but hasn't been well publicized. Most of this information is taken verbatim from the CheckPoint web page on this issue. You can find this page at http://www.checkpoint.com/techsupport/config/keywords.html Summary: If you use one of several reserved keywords to represent any user defined object in a rule the default definition of "ANY" will be used instead. This behavior may grant (or deny) access to a greater number of addresses or services than expected. Description: The following keywords should not be used to represent any user defined object in a FireWall-1 installation: Short, Long, Account, Alert, SnmpTrap, Mail, UserDefined, spoof, spoofalert, Auth, AuthAlert, Duplicate basewin, serviceswin, netobjwin, viewwin, users, resources, time, true, false, last, first, status_alert, fwalert If any of these keywords are used to represent either a network or a service object and are subsequently used in a security policy, FireWall-1 will interpret the object definition as "undefined". If no other object is used either in the source/destination or service field of the rule, then the default address definition of "ANY" is used for that particular field. Note that in practice only objects in the "tracking" menu of type "alert" seem to behave this way. Objects such as "Long", of type "log", do not show this behavior. Example: If you have a rule that allows SMTP access to a machine called "Mail" on your DMZ you are actually giving SMTP access to any machines behind the firewall. Recommendations If any of these keywords are defined as network objects or service objects and used in a rule base, then the object should be renamed and the security policy reloaded. Additional Notes Mechanisms are being built into future releases of FireWall-1 to prevent using these keywords as user defined objects. Aleph One / aleph1 () dfw net http://underground.org/ KeyID 1024/948FD6B5 Fingerprint EE C9 E8 AA CB AF 09 61 8C 39 EA 47 A8 6A B8 01
--
Current thread:
- Firewall-1 Reserved Keywords Vulnerability Aleph One (May 11)
- <Possible follow-ups>
- Re: Firewall-1 Reserved Keywords Vulnerability Paul Watson (May 12)
- Re: Firewall-1 Reserved Keywords Vulnerability Paul Watson (May 12)