From: olaf.hahn at qsc.de (Olaf Hahn)
Subject: Several remotely exploitable format string vulnerabilities can lead
 to Checkpoint Firewall-1 compromise

Internet Security Systems Security Advisory
February 4, 2004

Checkpoint Firewall-1 HTTP Parsing Format String Vulnerabilities
 
Synopsis:

ISS X-Force has discovered a flaw in the HTTP Application Intelligence
component of Firewall-1. Application Intelligence is a relatively recent
addition to the Firewall-1 product line and functions as an application
proxy between untrusted networks and network servers for the purpose of
detecting and preventing potential attacks. The vulnerabilities also exist
within the HTTP Security Server application proxy that ships with all
versions of Firewall-1 (including those prior to Application Intelligence
releases). The affected components contain several remotely exploitable
format string vulnerabilities.

Impact:

If HTTP Application Intelligence is enabled or the HTTP Security Server is
used, a remote unauthenticated attacker may exploit one of these
vulnerabilities and execute commands under the security context of the
super-user, usually "SYSTEM", or "root". This attack may lead to direct
compromise of the Firewall-1 server.

Remote attackers may leverage this attack to successfully compromise heavily
hardened networks by modifying or tampering with the firewall rules and
configuration. 

Affected Versions:

Checkpoint Firewall-1 NG-AI R55, R54, including SSL hotfix
Checkpoint Firewall-1 HTTP Security Server included with NG FP1, FP2, FP3
Checkpoint Firewall-1 HTTP Security Server included with 4.1

Description:

The Firewall-1 NG HTTP Application Intelligence (AI) component is an
application proxy technology designed to prevent potential attacks or
detect protocol anomalies targeted at servers behind the firewall. The
HTTP Security Server provides similar capabilities and may also hand off
traffic to third party content filtering applications or perform
additional analysis such as authentication or header rewriting. AI
supports several widely-used protocols, including HTTP, and is recommended
for use by Checkpoint. The HTTP portion of AI and the HTTP Security Server
share a similar code-base and contain remotely exploitable flaws that may
lead to full compromise of Firewall-1 servers.

Several format string vulnerabilities manifest when validating HTTP
requests. When various invalid portions of the request are specified, an
error message is generated in which a user may partially specify the
format string to an sprintf() call. One notable example is when an invalid
scheme is given in the URI. By providing format string specifiers, an
attacker may corrupt memory and execute arbitrary code with super-user
privileges. In addition, with the correct format string specifiers this
vulnerability may be exploited as a traditional heap overflow,leading to
similar results.

Unsuccessful exploit attempts will disrupt all established HTTP sessions
and stop Web traffic momentarily. Exploitation of this vulnerability on
some platforms is non-trivial due to character and length restrictions
placed on requests, but X-Force has developed a functional exploit for
this issue and reliable remote code execution is possible.

Checkpoint has released an update to address this issue. The update is
available at the following address:
http://www.checkpoint.com/techsupport/alerts/index.html

-- 


Mit freundlichen Gr?ssen 

Olaf Hahn 
Datennetzdienste/Security 
QSC AG 

Mathias-Br?ggen-Str. 55 
50829 K?ln 
Phone: +49 221 6698-443 
Fax: +49 221 6698-409 
E-Mail: olaf.hahn@....de
Internet: http://www.qsc.de

************************************
Paranoid zu sein heisst nicht, dass 
nicht doch jemand hinter einem steht
************************************

Powered by blists - more mailing lists