lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date: Mon, 31 Jul 2006 12:41:02 +0200 (CEST)
From: Hugo van der Kooij <hvdkooij@...derkooij.org>
To: bugtraq@...urityfocus.com
Subject: Re: Check Point R55W Directory Traversal

On Mon, 24 Jul 2006, Sec-Tec Lists wrote:

> Check Point Firewall-1 R55W contains a hard coded web server, which runs on
> TCP port 18264. This server is there to deal with PKI requirements for Check
> Point's VPN functionality.
>
> During a routine penetration test of a client, Sec-Tec discovered a
> directory traversal vulnerability that allows a potential attacker to
> retrieve files from the underlying OS.
>
> This issue is potentially serious for a number of reasons:
>
> 1. Check Point's "rule zero" will often by default allow access to this port
> for external IP addresses.
>
> 2. It would currently seem that there are few restrictions as to what files
> can be retrieved via this mechanism (Sec-Tec were able to obtain the
> underlying OS' account repository).
>
> Exploit
>
> The issue can be exploited via a web browser using typical hex encoded
> directory traversal strings.
>
> Affected Version(s):
>
> Check Point R55W
> Check Point R55W HFA1
> Check Point R55W HFA2
>
> (Confirmed on Windows 2003 Server platform, other platforms may be
> affected.)
>
> Current Status
>
> Check Point have confirmed that this issue was corrected in R55W HFA03.
> However, Sec-Tec have been unable to find any publicly available references
> to this issue, either within Check Point's knowledge base or HFA03 release
> notes.

This issue was found and fixed a while ago as I just learned from Check
Point:

This vulnerability was published on BugTraq. It was discovered in the past
and fixed. The following sentence was added to Release Notes: .HTTP
protocol inspection has been enhanced..
The following versions and later are not vulnerable:

NG AI R54 HFA_414
NG AI R55 HFA_12
NG AI R55W HFA_3
NGX R60
NGX R60A
NGX R61
VSX NG AI HFA_02
VSX NGX
Interspect 2.0
Interspect NGX
Connectra 2.0
Connectra NGX R60
Connectra NGX R61

Regards,
Hugo.

-- 
	I hate duplicates. Just reply to the relevant mailinglist.
	hvdkooij@...derkooij.org		http://hvdkooij.xs4all.nl/
		Don't meddle in the affairs of magicians,
		for they are subtle and quick to anger.

Powered by blists - more mailing lists