Full Disclosure mailing list archives
Re: Check Point FW-1 NG FP3 & FP3 HF1: DoS attack against syslog daemon possible
From: "Dr. Peter Bieringer" <pbieringer () aerasec de>
Date: Wed, 26 Mar 2003 19:55:21 +0100
Hi again, regarding to some statements and personal e-mails to me of a) which versions are affected and )b we have no FP3, but a running "syslog" processI've doublechecked this here in our lab and can confirm Check Point's advisory "Prior to the release of NG FP3 HF2" for some more cases:
Check Point FW-1 since NG FP3: ------------------------------ The syslog daemon is a dedicated binary "$FWDIR/bin/syslog" Vulnerable for remote crash (FP3, FP3 HF1) Vulnerable unfiltered escape sequences (FP3, FP3 HF1, FP3 HF2) Check Point FW-1 NG up to FP2: ------------------------------The syslog daemon is included in the "$FWDIR/bin/fw" binary by using "$FWDIR/lib/libfw1.so"
Vulnerable for remote crash (FP2) Vulnerable unfiltered escape sequences (FP2)Other NG versions below FP2 currently not tested by us, but regarding to Check Point's advisory they are also vulnerable.
Note: in the process table you will see also "syslog 514 all", a "ghost" program which didn't exist before FP3, but that's only the command line arguments. A dig into /proc/$pid-of/syslog shows, that "fw" is the real executed binary.
Check Point FW-1 4.1: ---------------------The syslog daemon is included in the "$FWDIR/bin/fw" binary without using any other Check Point specific library.
We currently investigate also here the 2 issues. Hope this helps. We've also already updated our advisory: http://www.aerasec.de/security/advisories/txt/ checkpoint-fw1-ng-fp3-syslog-crash.txt http://www.aerasec.de/security/advisories/ checkpoint-fw1-ng-fp3-syslog-crash.html Sorry for causing some confusions. Peter -- Dr. Peter Bieringer Phone: +49-8102-895190 AERAsec Network Services and Security GmbH Fax: +49-8102-895199 Wagenberger Straße 1 Mobile: +49-174-9015046 D-85662 Hohenbrunn E-Mail: pbieringer () aerasec de Germany Internet: http://www.aerasec.de _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Check Point FW-1 NG FP3 & FP3 HF1: DoS attack against syslog daemon possible Dr. Peter Bieringer (Mar 21)
- Re: Check Point FW-1 NG FP3 & FP3 HF1: DoS attack against syslog daemon possible Dr. Peter Bieringer (Mar 26)
- Re: Check Point FW-1: attack against syslog daemon possible Dr. Peter Bieringer (Mar 27)
- Re: Check Point FW-1 NG FP3 & FP3 HF1: DoS attack against syslog daemon possible Dr. Peter Bieringer (Mar 26)