On Wed, Jul 11, 2001 at 11:41:23AM +0200, Johan Lindqvist wrote: > The original advisory > (http://www.inside-security.de/advisories/fw1_rdp.html) says that a > workaround is to "Deactivate implied rules in the Check Point policy editor > (and build your own rules for management connections).". I've not been able > to find any changes in the INSPECT code generated to confirm that not using > the implied rules from "Policy/properties/Security policy/Implied > rules/Accept VPN-1 & FireWall-1 Control Connection" Hmm.. strange. I cannot reproduce this. Here's the test i carried out: I set up a policy with all implied rules, the policy file w_control.W is attached to this mail. From this policy the INSPECT file w_control.pf was generated (also attached). The relevant part of this file is: [...] #define REVERSE_UDP 1 #include "code.def" accept_fw1_connections; <----- accept_proxied_conns; enable_radius_queries; enable_tacacs_queries; [...] accept_fw1_connections is defined in $FWDIR/lib/base.def: #define accept_fw1_connections accept_fw1_connections1 accept_fw1_connections2 accept_fw1_connections3 and the macro "accept_fw1_connections3" includes "accept_fw1_rdp" which is the flawed macro. #define accept_fw1_connections3 [...] accept_fw1_rdp; So, the RDP vulnerability finally comes into the INSPECT file "w_control.pf" with the macro "accept_fw1_connections". However, if i go to the policy editor and uncheck policy->properties-> Security Policy->Implied Rules->VPN-1 & FireWall-1 Control Connections and re-compile the policy (wo_control.W, see attachment), i get an INSPECT file (wo_control.pf, see attachment) that does not make use of "accept_fw1_connections" and does therefore not lead to this vulnerability. I've also tested this with our proof of concept code. (BTW: I'm going to post this code tomorrow on BUGRAQ) Can you post the policy and INSPECT files you generated? Jochen -- Jochen Bauer | Tel: +49711 6868 7030 Inside Security IT Consulting GmbH | Fax: +49711 6868 7031 Nobelstr. 15 | email: jtb@inside-security.de 70569 Stuttgart, Germany | http://www.inside-security.de
This archive was generated by hypermail 2b30 : Wed Jul 11 2001 - 16:33:53 PDT