[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <Pine.LNX.4.58.0607311240210.11016@gandalf.hugo.vanderkooij.org>
Date: Mon, 31 Jul 2006 12:41:02 +0200 (CEST)
From: Hugo van der Kooij <hvdkooij@...derkooij.org>
To: bugtraq@...urityfocus.com
Subject: Re: Check Point R55W Directory Traversal
On Mon, 24 Jul 2006, Sec-Tec Lists wrote:
> Check Point Firewall-1 R55W contains a hard coded web server, which runs on
> TCP port 18264. This server is there to deal with PKI requirements for Check
> Point's VPN functionality.
>
> During a routine penetration test of a client, Sec-Tec discovered a
> directory traversal vulnerability that allows a potential attacker to
> retrieve files from the underlying OS.
>
> This issue is potentially serious for a number of reasons:
>
> 1. Check Point's "rule zero" will often by default allow access to this port
> for external IP addresses.
>
> 2. It would currently seem that there are few restrictions as to what files
> can be retrieved via this mechanism (Sec-Tec were able to obtain the
> underlying OS' account repository).
>
> Exploit
>
> The issue can be exploited via a web browser using typical hex encoded
> directory traversal strings.
>
> Affected Version(s):
>
> Check Point R55W
> Check Point R55W HFA1
> Check Point R55W HFA2
>
> (Confirmed on Windows 2003 Server platform, other platforms may be
> affected.)
>
> Current Status
>
> Check Point have confirmed that this issue was corrected in R55W HFA03.
> However, Sec-Tec have been unable to find any publicly available references
> to this issue, either within Check Point's knowledge base or HFA03 release
> notes.
This issue was found and fixed a while ago as I just learned from Check
Point:
This vulnerability was published on BugTraq. It was discovered in the past
and fixed. The following sentence was added to Release Notes: .HTTP
protocol inspection has been enhanced..
The following versions and later are not vulnerable:
NG AI R54 HFA_414
NG AI R55 HFA_12
NG AI R55W HFA_3
NGX R60
NGX R60A
NGX R61
VSX NG AI HFA_02
VSX NGX
Interspect 2.0
Interspect NGX
Connectra 2.0
Connectra NGX R60
Connectra NGX R61
Regards,
Hugo.
--
I hate duplicates. Just reply to the relevant mailinglist.
hvdkooij@...derkooij.org http://hvdkooij.xs4all.nl/
Don't meddle in the affairs of magicians,
for they are subtle and quick to anger.
Powered by blists - more mailing lists