Bugtraq mailing list archives
Re: CheckPoint FW1 BUG
From: syke () NEWHACKCITY NET (uh Clem)
Date: Fri, 14 Jul 2000 13:56:23 -0700
On Fri, 14 Jul 2000 Hugo.van.der.Kooij () caiw nl wrote:
The first thing to do is to strip the host the FW-1 software is to be installed on. Securing the OS before even starting to install the firewall is essential.
When the firewall itself is dependant upon service being active, this is somewhat difficult. See below.
After installation you should secure the FW-1 software from any access to the machine you don't explicitly want. Always pay attention to the implied rules which can be made visible and should be thoroughly checked.
One of the other things we observed was the extremely poor state of permissions that Firewall-1's installation leaves things in. As far as I could tell, there was no option to run the firewall services as an alternate user besides SYSTEM. Some would argue this is necessary, but it really isn't; NT provides well documented APIs for adding specific priviledges to a given user's token. These kind of mistakes are generally present in win32 software written by people who haven't bothered to learn the platform.
However it is quite unclear why accessing a port would cause a firewall process to 100%. But FW-1 v4.0 SP4 is NOT certified for NT 4.0 SP6a and it is recommended you upgrade to FW-1 v4.0 SP6 asap.
Ports 1030-103x are where registered RPC services are listening, much like 32767-328xx on Solaris. The ports are assigned by the RPC mapper (port 135 on NT, port 111 on Solaris) in the order the RPC services are started. What I think is happening here is that the firewall-1 service in question is running as an RPC service (frightening, eh?) and only expects local connections. ttyl
Current thread:
- Re: CheckPoint FW1 BUG NHC Research (Jul 13)
- Re: CheckPoint FW1 BUG Hugo.van.der.Kooij () CAIW NL (Jul 14)
- Re: CheckPoint FW1 BUG uh Clem (Jul 14)
- Re: CheckPoint FW1 BUG Hugo.van.der.Kooij () CAIW NL (Jul 14)
- Re: CheckPoint FW1 BUG Jon Paul, Nollmann (Jul 17)
- Re: CheckPoint FW1 BUG Benjamin Smee (Jul 19)
- HP Jetdirect - Invalid FTP Command DoS Peter Grundl (Jul 19)
- Re: CheckPoint FW1 BUG Per Hoff (Jul 19)
- Alert: Buffer Overrun is O'Reilly WebsitePro httpd32.exe (CISADV000717) Cerberus Security Team (Jul 19)
- Alert: Buffer Overrun is O'Reilly WebsitePro webfind.exe (CISADV000718) Cerberus Security Team (Jul 19)
- Outlook exploit fix opens old hole? Ben (Jul 19)
- [COVERT-2000-08] O'Reilly WebSite Professional Overflow COVERT Labs (Jul 19)
- Security Fix for Blackboard CourseInfo 4.0 aleph1 () securityfocus com (Jul 19)
- Re: CheckPoint FW1 BUG uh Clem (Jul 14)
- Re: CheckPoint FW1 BUG Hugo.van.der.Kooij () CAIW NL (Jul 14)