Full Disclosure mailing list archives
Several remotely exploitable format string vulnerabilities can lead to Checkpoint Firewall-1 compromise
From: Olaf Hahn <olaf.hahn () qsc de>
Date: Thu, 05 Feb 2004 11:16:16 +0100
Internet Security Systems Security Advisory February 4, 2004 Checkpoint Firewall-1 HTTP Parsing Format String Vulnerabilities Synopsis: ISS X-Force has discovered a flaw in the HTTP Application Intelligence component of Firewall-1. Application Intelligence is a relatively recent addition to the Firewall-1 product line and functions as an application proxy between untrusted networks and network servers for the purpose of detecting and preventing potential attacks. The vulnerabilities also exist within the HTTP Security Server application proxy that ships with all versions of Firewall-1 (including those prior to Application Intelligence releases). The affected components contain several remotely exploitable format string vulnerabilities. Impact: If HTTP Application Intelligence is enabled or the HTTP Security Server is used, a remote unauthenticated attacker may exploit one of these vulnerabilities and execute commands under the security context of the super-user, usually "SYSTEM", or "root". This attack may lead to direct compromise of the Firewall-1 server. Remote attackers may leverage this attack to successfully compromise heavily hardened networks by modifying or tampering with the firewall rules andconfiguration.
Affected Versions: Checkpoint Firewall-1 NG-AI R55, R54, including SSL hotfix Checkpoint Firewall-1 HTTP Security Server included with NG FP1, FP2, FP3 Checkpoint Firewall-1 HTTP Security Server included with 4.1 Description: The Firewall-1 NG HTTP Application Intelligence (AI) component is an application proxy technology designed to prevent potential attacks or detect protocol anomalies targeted at servers behind the firewall. The HTTP Security Server provides similar capabilities and may also hand off traffic to third party content filtering applications or perform additional analysis such as authentication or header rewriting. AI supports several widely-used protocols, including HTTP, and is recommended for use by Checkpoint. The HTTP portion of AI and the HTTP Security Server share a similar code-base and contain remotely exploitable flaws that may lead to full compromise of Firewall-1 servers. Several format string vulnerabilities manifest when validating HTTP requests. When various invalid portions of the request are specified, an error message is generated in which a user may partially specify the format string to an sprintf() call. One notable example is when an invalid scheme is given in the URI. By providing format string specifiers, an attacker may corrupt memory and execute arbitrary code with super-user privileges. In addition, with the correct format string specifiers this vulnerability may be exploited as a traditional heap overflow,leading to similar results. Unsuccessful exploit attempts will disrupt all established HTTP sessions and stop Web traffic momentarily. Exploitation of this vulnerability on some platforms is non-trivial due to character and length restrictions placed on requests, but X-Force has developed a functional exploit for this issue and reliable remote code execution is possible. Checkpoint has released an update to address this issue. The update is available at the following address: http://www.checkpoint.com/techsupport/alerts/index.html --Mit freundlichen Grüssen Olaf Hahn Datennetzdienste/Security QSC AG Mathias-Brüggen-Str. 55 50829 Köln Phone: +49 221 6698-443 Fax: +49 221 6698-409 E-Mail: olaf.hahn () qsc de
Internet: http://www.qsc.de ************************************Paranoid zu sein heisst nicht, dass nicht doch jemand hinter einem steht
************************************ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Several remotely exploitable format string vulnerabilities can lead to Checkpoint Firewall-1 compromise Olaf Hahn (Feb 05)
- Re: Checkpoint Firewall-1 format string Berend-Jan Wever (Feb 05)