Bugtraq mailing list archives
Firewall-1 Session Agent, DOS and password thief
From: gregory duchemin <c3rb3r () HOTMAIL COM>
Date: Fri, 4 Aug 2000 22:04:55 GMT
hi, after the great revelations at the las vegas black hat about many security vulnerabilities in firewall-1, i was looking at this little module i use in my compagny and called "authentication session agent". We use it all over the corporate network to allow only some priviledged users to go into Internet. This agent is installed on the windows 9.x NT box et just listen the 261 port for a connexion from a firewall module. When a user wish to surf on the web or to use any other outside service, the firewall intercept the request and three handschack the agent to get some authentication informations: user + pass there are at least two vulnerabilities in the agent: 1- Denial of service, when a connexion is already established with the agent, no connexion can be carried anymore leading in a denial of service and, if one day some malicious users decide to type something like : #telnet target 261 User of the target couldn't be able to get the requester asking him for his password....too bad...no more authentication, no more outside connexion 2- more seriously, for compatibility reason the agent show a checkbox that permit our user to send his password in a cleartext way because firewall modules 4.0 and below don't know how to do encryption. It's not only possible to sniff this password on the network segment but much interresting, it 's really trivial to ask the user agent for giving it to us ;) example: #nc target 261 220 FW-1 fake session authentication 331 User: -> he answer with his username 331 *FireWall-1 p4ssw0rd pleazzz: -> if he's an idiot, he 'll take that for a real fw prompt and u 'll get back his password else just change the message ;) 200 User has now a clone, c3rb3r 230 OK Note that this exploit is interactive, when u send 331 User:, it appears straight away on the victim screen and so u should have to wait for his answer. It's even possible to use session agent like a funny chat with a checkpoint logo on the right top ;) try it... Solutions: For the DOS, wait for checkpoint reply but for the password weakness always use encryption ( if you have a firewall module 4.1 naturally ) and use IP wrapper incorporated into the agent but not effective by default. that was my small contribution to checkpoint's black list OOpsss: agent 4.1 was tested on a win95 box. Have a nice day Greg =================================================== Gregory Duchemin // security engineer NEUROCOM CANADA 1001 Bd Maisonneuve Montreal Quebec CANADA ________________________________________________________________________ Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com
Current thread:
- Firewall-1 Session Agent, DOS and password thief gregory duchemin (Aug 07)
- Re: Firewall-1 Session Agent, DOS and password thief Dug Song (Aug 07)
- <Possible follow-ups>
- Re: Firewall-1 Session Agent, DOS and password thief gregory duchemin (Aug 08)