Check Point SmartDashboard Buffer Overflow
MegaHz Security Advisory
19/03/2004
Check Point SmartDashboard Buffer Overflow
Summary
===================
The Check Point Smartview Tracker which is the log viewer for Check
Point Firewall-1 is suffering from buffer overflow vulnerabilities to
various of its fields.
Systems Affected
===================
This vulnerability exists in Check Point NG AI R54/R55
And maybe other versions too.
Details
===================
The vulnerability:
Open Check Point Smartview Tracker, and construct a filter on any
column.
Filter that column by a 30000 (character size) string.
When you add that filter and the Tracker starts to filter the logs it
stops and popups a message "Server is disconnected!"
When you click on OK then all the open Check Point management gui
(SmartDashboard, Smartview Tracker, Smartview Monitor etc) are
automatically close.
If you have made any changes on your firewall policy then it popups
another message that no changes will be saved.
What was not checked:
The case in which more than one Smartview Tracker windows
are open
on different machines and connected on the same Smartcenter and one of
them exploits this vulnerability. Are all the clients going to be
disconnected.
The details collumn also suffers from this vulnerability. What about if
some one is exploiting a webserver using a manual 30000 character http
address request. The smartdefense of the firewall will block it (as
normal long request). But what is going to show in the details collumn?
If it shows the whole string is it going to show it? or disconnect you
every time you will try to view it? (This is an extreme
scenario but
probably could happen)
Solution
===================
The vendor has been informed.
===================
===================
Discovered by: Andreas Constantinides (MegaHz)
My email: megahz@xxxxxxxxxx
My web page: www.megahz.org