lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: Thu, 25 Mar 2004 03:20:07 +0200
From: "Andreas Constantinides (MegaHz)" <megahz@...ahz.org>
To: bugtraq@...urityfocus.com
Cc: SJames@...fense.com
Subject: Check Point SmartDashboard Buffer Overflow


MegaHz Security Advisory
19/03/2004

Check Point SmartDashboard Buffer Overflow



Summary
===================

	The Check Point Smartview Tracker which is the log viewer for Check
Point Firewall-1 	is suffering from buffer overflow vulnerabilities to
various of its fields.

Systems Affected
===================

	This vulnerability exists in Check Point NG AI R54/R55
	And maybe other versions too.


Details
===================

The vulnerability:
	Open Check Point Smartview Tracker, and construct a filter on any
column. 
	Filter that column by a 30000 (character size) string. 
	When you add that filter and the Tracker starts to filter the logs it
stops and 		popups a message "Server is disconnected!"
	When you click on OK then all the open Check Point management gui
(SmartDashboard, 		Smartview Tracker, Smartview Monitor etc) are
automatically close.
	If you have made any changes on your firewall policy then it popups
another message 		that no changes will be saved.

What was not checked:
	The case in which more than one Smartview Tracker windows 			are open
on different machines and connected on the same Smartcenter and one of
them 	exploits this vulnerability. Are all the clients going to be
disconnected.
	
	The details collumn also suffers from this vulnerability. What about if
some one is 	exploiting a webserver using a manual 30000 character http
address request. The 		smartdefense of the firewall will block it (as
normal long request). But what is 	going to show in the details collumn?
If it shows the whole string is it going to 	show it? or disconnect you
every time you will try to view it? (This is an extreme 		scenario but
probably could happen)
	

Solution
===================

    The vendor has been informed.







===================
===================

	Discovered by: Andreas Constantinides (MegaHz)
	My email: megahz@...ahz.org
	My web page: www.megahz.org

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ