<<< Date Index >>>     <<< Thread Index >>>

Re: Check Point R55W Directory Traversal



On Mon, 24 Jul 2006, Sec-Tec Lists wrote:

> Check Point Firewall-1 R55W contains a hard coded web server, which runs on
> TCP port 18264. This server is there to deal with PKI requirements for Check
> Point's VPN functionality.
>
> During a routine penetration test of a client, Sec-Tec discovered a
> directory traversal vulnerability that allows a potential attacker to
> retrieve files from the underlying OS.
>
> This issue is potentially serious for a number of reasons:
>
> 1. Check Point's "rule zero" will often by default allow access to this port
> for external IP addresses.
>
> 2. It would currently seem that there are few restrictions as to what files
> can be retrieved via this mechanism (Sec-Tec were able to obtain the
> underlying OS' account repository).
>
> Exploit
>
> The issue can be exploited via a web browser using typical hex encoded
> directory traversal strings.
>
> Affected Version(s):
>
> Check Point R55W
> Check Point R55W HFA1
> Check Point R55W HFA2
>
> (Confirmed on Windows 2003 Server platform, other platforms may be
> affected.)
>
> Current Status
>
> Check Point have confirmed that this issue was corrected in R55W HFA03.
> However, Sec-Tec have been unable to find any publicly available references
> to this issue, either within Check Point's knowledge base or HFA03 release
> notes.

This issue was found and fixed a while ago as I just learned from Check
Point:

This vulnerability was published on BugTraq. It was discovered in the past
and fixed. The following sentence was added to Release Notes: .HTTP
protocol inspection has been enhanced..
The following versions and later are not vulnerable:

NG AI R54 HFA_414
NG AI R55 HFA_12
NG AI R55W HFA_3
NGX R60
NGX R60A
NGX R61
VSX NG AI HFA_02
VSX NGX
Interspect 2.0
Interspect NGX
Connectra 2.0
Connectra NGX R60
Connectra NGX R61

Regards,
Hugo.

-- 
        I hate duplicates. Just reply to the relevant mailinglist.
        hvdkooij@xxxxxxxxxxxxxxx                http://hvdkooij.xs4all.nl/
                Don't meddle in the affairs of magicians,
                for they are subtle and quick to anger.