CERT Advisory CA-2001-17
Robert Starliper
tim at starlipers.com
Mon Jul 9 23:31:44 EDT 2001
Liam, Et. Al -
There is an update to this notice - here is a post from Inside
Security I just read on Bugtraq....
---------------------------------------------------Begin Forwarded
Message----------------------------------------------------------
Urgent! There is a slight mistake in Revision 1.2 of this
advisory. RDP is proprietary protocol used by CheckPoint
and therefore not described by RFC908, this RFC describes
a different protocol unfortunately also called "RDP".
Here is the corrected version:
FOR PUBLIC RELEASE
------------------------------------------------------------------------
Inside Security GmbH Vulnerability Notification
Revision 1.3 2001-07-09
------------------------------------------------------------------------
The latest version of this document is available at
http://www.inside-security.de/advisories/fw1_rdp.html
-----------------------------------------------
Check Point FireWall-1 RDP Bypass Vulnerability
-----------------------------------------------
Summary:
It is possible to bypass FireWall-1 with faked RDP packets
if the default implied rules are being used.
RDP (Reliable Data Protocol, but not the one specified in RFC 908,
a Check Point proprietary one) is used by FireWall-1 on top of the
User Datagram Protocol (UDP) to establish encrypted sessions.
FireWall-1 management rules allow arbitrary eitherbound RDP
connections
to traverse the firewall. Only the destination port (259) and the RDP
command are verified by FireWall-1. By adding a faked RDP header to
normal
UDP traffic any content can be passed to port 259 on any remote host
on
either side of the firewall.
Implied rules can't be easily modified or removed (except all
together)
with the FireWall-1 policy editor.
Impact:
Given access to hosts on both sides of a firewall a tunnel to bypass
the firewall could be built using this vulnerability. Such access
could be gained with a trojan horse that uses this vulnerability to
connect from the inside back to the machine of the attacker. But also
arbitrary connections from the outside to machines behind the firewall
(even if they are supposedly totally blocked from the in- and outside
by the firewall) can be established, for example to communicate with
infiltrated programs like viruses.
Affected systems:
Check Point VPN-1(TM) & FireWall-1(R) Version 4.1
Releases tested:
Build 41439 [VPN + DES]
Build 41439 [VPN + DES + STRONG]
Build 41716 [VPN + DES + STRONG] (SP2)
Vendor status:
The vulnerability has been reported to Check Point and a fix is
scheduled for today. We want to thank Check Point Software
Technologies
for their quick reaction.
Detailed description:
As FireWall-1 rulesets are created they are translated into the
INSPECT
language (similar to C) and by default include the file
$FWDIR/lib/base.def
which itself includes $FWDIR/lib/crypt.def in line 259. Together they
define
protocol names and the so called implied rules (for FireWall-1
management).
In line 62 the macro accept_fw1_rdp is defined to accept any
eitherbound
connection that matches the following characteristics:
- Protocol UDP
- Destination port 259 (RDP)
- RDP Command RDPCRYPTCMD (100), RDPCRYPT_RESTARTCMD (101),
RDPUSERCMD (150) or RDPSTATUSCMD (128).
The RDP command types RDPCRYPT = {RDPCRYPTCMD,RDPUSERCMD,RDPSTATUSCMD}
and RDPCRYPT_RESTART = {RDPCRYPT_RESTARTCMD} will permit traversal of
faked RDP packets (regardless of the value of NO_ENCRYPTION_FEATURES,
undefined by default).
Proof of concept code:
Proof of concept code has been submitted to Check Point. We are
planning
to make this code publicly available within a few days.
Suggested workarounds:
- Comment line 2646 of crypt.def ( accept_fw1_rdp; )
- Deactivate implied rules in the Check Point policy editor (and build
your own rules for management connections).
- Block UDP traffic to port 259 on your perimeter router.
Credits:
This vulnerability was found and documented by Jochen Thomas Bauer
<jtb at inside-security.de> and Boris Wesslowski <bw at inside-security.de>
of Inside Security GmbH, Stuttgart, Germany.
------------------------------------------------------------------------
(C) 2001 Inside Security GmbH
This notice may be redistributed freely provided that redistributed
copies
are complete and unmodified, and include all date and version
information.
ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND WARRANTIES,
INCLUDING ANY WARRANTY OF NON-INFRINGEMENT OR IMPLIED WARRANTY OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE, ARE HEREBY
DISCLAIMED
AND EXCLUDED TO THE EXTENT ALLOWED BY APPLICABLE LAW.
IN NO EVENT WILL INSIDE SECURITY GMBH BE LIABLE FOR ANY LOST REVENUE,
PROFIT OR DATA, OR FOR DIRECT, SPECIAL, INDIRECT, CONSEQUENTIAL,
INCIDENTAL
OR PUNITIVE DAMAGES HOWEVER CAUSED AND REGARDLESS OF ANY THEORY OF
LIABILITY ARISING OUT OF THE USE OF OR INABILITY TO USE THE INFORMATION
CONTAINED IN THIS SECURITY BULLETIN, EVEN IF INSIDE SECURITY GMBH HAS
BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
If any of the above provisions are held to be in violation of applicable
law, void, or unenforceable in any jurisdiction, then such provisions
are
waived to the extent necessary for this disclaimer to be otherwise
enforceable in such jurisdiction.
------------------------------------------------------------------------
VPN is sponsored by SecurityFocus.com
More information about the VPN
mailing list