Re: Firewall-1 Reserved Keywords Vulnerability

[paul_watson () IRIDIUM COM (Paul Watson)]

Aleph Wrote: << SNIP >>
> This vulnerability in Firewall-1 has been made public by CheckPoint
> but hasn't been well publicized. << SNIP >>

Very scary.  I created a sample policy with 2 systems, Mail and Mail2, to see
what would happen.  I run 3.0b with patches on some internal networks and was
amazed to see the results of compiling the policy.  I have included portion of
the packet filter source and snippets of the resulting compiled output.  Note
that "Mail" appears in the pf file, but not in the fc output.  Ouch.

Although, I doubt many admins will name objects "netobjwin" or "viewwin".
However, I am quite sure that it is common for many Firewall-1 admins to name a
system "mail" in their host objects, so this potential vulnerability is probably
wide-spread.

It should be noted, however, that although this vulnerability may be present in
many internet Firewalls, it would only be easily exploitable if the internal
network consist of valid internet IP addresses.  i.e. Not RFC1918 internal
addressing.

-Paul Watson
+-------------------------+---------------------------------+
| Paul Watson             | Senior Network Security Engineer|
|                         | IRIDIUM LLC                     |
| paul_watson () iridium com | "One World, One Phone!"         |
+-------------------------+---------------------------------+

> From /etc/fw/conf/policyname.pf
=================================================
: (rule-3
                        :src (
                                : Any
                        )
                        :dst (
                                : Mail
                        )
                        :services (
                                : CommonEmail
                        )
                        :action (
                                : (accept
<< SNIP >>
: (rule-4
                        :src (
                                : Any
                        )
                        :dst (
                                : Mail2
                        )
                        :services (
                                : CommonEmail
                        )
                        :action (
                                : (accept
======================================================

From: /etc/fw/state/local.fc
==================================
#<> all@testfirewall
#accept (set sr10 (0)),
#(tcp, imap or pop-3 or smtp),
#RECORD_CONN(3),

<< SNIP >>

#<> all@testfirewall
#accept (set sr10 (0)),
#(tcp, imap or pop-3 or smtp),
#([ 16 , b] = Mail2),
#RECORD_CONN(4),
==================================

Aleph One wrote:
> This vulnerability in Firewall-1 has been made public by CheckPoint
> but hasn't been well publicized.
>
> Most of this information is taken verbatim from the CheckPoint web page
> on this issue. You can find this page at
> http://www.checkpoint.com/techsupport/config/keywords.html
>
> Summary:
>
> If you use one of several reserved keywords to represent any user defined
> object in a rule the default definition of "ANY" will be used instead.
> This behavior may grant (or deny) access to a greater number of addresses
> or services than expected.
>
> Description:
>
> The following keywords should not be used to represent any user defined
> object in a FireWall-1 installation:
>
>          Short, Long, Account, Alert, SnmpTrap, Mail, UserDefined, spoof,
>          spoofalert, Auth, AuthAlert, Duplicate basewin, serviceswin,
>          netobjwin, viewwin, users, resources, time, true, false, last,
>          first, status_alert, fwalert
>
> If any of these keywords are used to represent either a network or a
> service object and are subsequently used in a security policy, FireWall-1
> will interpret the object definition as "undefined". If no other object is
> used either in the source/destination or service field of the rule, then
> the default address definition of "ANY" is used for that particular field.
>
> Note that in practice only objects in the "tracking" menu of type "alert"
> seem to behave this way. Objects such as "Long", of type "log", do not
> show this behavior.
>
> Example:
>
> If you have a rule that allows SMTP access to a machine called "Mail" on
> your DMZ you are actually giving SMTP access to any machines behind the
> firewall.
>
> Recommendations
>
> If any of these keywords are defined as network objects or service objects
> and used in a rule base, then the object should be renamed and the
> security policy reloaded.
>
> Additional Notes
>
> Mechanisms are being built into future releases of FireWall-1 to prevent
> using these keywords as user defined objects.
>
> Aleph One / aleph1 () dfw net
> http://underground.org/
> KeyID 1024/948FD6B5
> Fingerprint EE C9 E8 AA CB AF 09 61  8C 39 EA 47 A8 6A B8 01