Bugtraq mailing list archives
Re: Vulnerabilities in Checkpoint FW-1 version 3.x and maybe 4.x
From: vanja () RELAYGROUP COM (Vanja Hrustic)
Date: Sat, 22 Jan 2000 17:33:24 +0700
root wrote:
The workaround is to use Checkpoint's encrypted authentication program "SecuRemote" and not allow clear text authentication (browser based, telnet, etc.) to destinations beyond the firewall.
But you can still authenticate to the firewall, using SecuRemote - and have unlimited number of tries. FW-1 will let you know if username exists or not. It was tested with V4.0.
#2 The default configuration in FW-1 allows for rlogin management of the server. The rlogin prompt is avaialable on all NICs. Unless a rule is placed in your ruleset to drop or reject all connections to the firewall, the authentication problem above can be used to remotely administer someone elses firewall without them knowing.
To be honest, I don't think there is a 'default' configuration of Firewall-1. I am not a FW-1 reseller, and I can not say if there are any 'procedures' that resellers are supposed to follow, but so far I've seen few completely different setups of FW-1 (on Solaris). One machine was completely 'stripped down', another one had few rpc services running while some other one had absolutelly *everything* running. From the outside, you can't do anything, so it's not such big deal, but once you manage to get in internal network - it is piece of cake to 'own' a Firewall-1 box. Not because of Firewall-1 vulnerabilities, but because of Solaris bugs and bad firewall rules (admin not barring access to fw from internal network). I don't think it is a Firewall-1 problem (the problem #2); it's more of a sysadmin problem Very good document about stripping Solaris can be found at: http://www2.checkpoint.com/~joe/strip-sunserver.txt You can find some other interesting documents there as well. http://www2.checkpoint.com/~joe/ -- Vanja Hrustic SAFER Editor SAFER - free monthly security newsletter Subscriptions at http://safer.siamrelay.com
Current thread:
- AW: usual iploggers miss some variable stealth scans, (continued)
- AW: usual iploggers miss some variable stealth scans Tobi (Jan 18)
- AW: usual iploggers miss some variable stealth scans Tobi (Jan 19)
- Warning: VCasel security hole. bob mare (Jan 18)
- Re: usual iploggers miss some variable stealth scans Alec Kosky (Jan 18)
- Re: usual iploggers miss some variable stealth scans Andrea Gho (Jan 20)
- Vulnerabilities in Checkpoint FW-1 version 3.x and maybe 4.x root (Jan 21)
- *BSD procfs vulnerability FEAR Advisories (Jan 21)
- Re: *BSD procfs vulnerability Theo de Raadt (Jan 23)
- stream.c/raped.c tests (just for stats) Vanja Hrustic (Jan 21)
- Microsoft Security Bulletin (MS00-004) Microsoft Product Security (Jan 21)
- Re: Vulnerabilities in Checkpoint FW-1 version 3.x and maybe 4.x Vanja Hrustic (Jan 22)
- Re: Vulnerabilities in Checkpoint FW-1 version 3.x and maybe 4.x Markus Hofmann (Jan 22)
- Administrivia Elias Levy (Jan 18)
- Info on some security holes reported against SCO Unixware. Aaron Sigel (Jan 13)
- ssh-proxy, a new approach to firewall software Magosanyi Arpad (Jan 13)
- Re: Hotmail security hole - injecting JavaScript using <IMG Ajax (Jan 11)
- Serious Bug in Corel Linux.(Local root exploit) tascon () ENETE GUI UVA ES (Jan 12)
- secure-programs howto Signal 11 (Jan 09)
- strace can lie ... but LTT might be handy Karim Yaghmour (Jan 09)
- 2nd attempt: AIX techlibss follows links Klaus.Kusche () OOE GV AT (Jan 10)
- NIS2k Bacano (Jan 11)