Re: Check Point response to RDP Bypass

From: Jochen Bauer (jtb@inside-security.de)
Date: Wed Jul 11 2001 - 11:45:11 PDT

  • Next message: EnGarde Secure Linux: "[ESA-20010711-01] AllCommerce insecure temporary files"

    On Wed, Jul 11, 2001 at 11:41:23AM +0200, Johan Lindqvist wrote:
    > The original advisory 
    > (http://www.inside-security.de/advisories/fw1_rdp.html) says that a 
    > workaround is to "Deactivate implied rules in the Check Point policy editor 
    > (and build your own rules for management connections).". I've not been able 
    > to find any changes in the INSPECT code generated to confirm that not using 
    > the implied rules from "Policy/properties/Security policy/Implied 
    > rules/Accept VPN-1 & FireWall-1 Control Connection"
    
    Hmm.. strange. I cannot reproduce this. Here's the test i carried out:
    
    I set up a policy with all implied rules, the policy file w_control.W 
    is attached to this mail. From this policy the INSPECT file w_control.pf
    was generated (also attached). The relevant part of this file is:
    
    [...]
    #define REVERSE_UDP 1
    #include "code.def"
    accept_fw1_connections;  <-----
    accept_proxied_conns;
    enable_radius_queries;
    enable_tacacs_queries;    
    [...]
    
    accept_fw1_connections is defined in $FWDIR/lib/base.def:
    
    #define accept_fw1_connections accept_fw1_connections1 accept_fw1_connections2
            accept_fw1_connections3
    
    and the macro "accept_fw1_connections3" includes "accept_fw1_rdp" which is 
    the flawed macro. 
    
    #define accept_fw1_connections3                                         
            [...]
            accept_fw1_rdp;
    
    
    So, the RDP vulnerability finally comes into the INSPECT 
    file "w_control.pf" with the macro "accept_fw1_connections". 
    
    However, if i go to the policy editor and uncheck policy->properties->
    Security Policy->Implied Rules->VPN-1 & FireWall-1 Control Connections and 
    re-compile the policy (wo_control.W, see attachment), i get an INSPECT file 
    (wo_control.pf, see attachment) that does not make use of  
    "accept_fw1_connections" and does therefore not lead to this vulnerability. 
    
    I've also tested this with our proof of concept code. (BTW: I'm going to 
    post this code tomorrow on BUGRAQ)
    
    Can you post the policy and INSPECT files you generated?
    
    Jochen
    -- 
    Jochen Bauer                        |    Tel: +49711 6868 7030 
    Inside Security IT Consulting GmbH  |    Fax: +49711 6868 7031
    Nobelstr. 15                        |    email: jtb@inside-security.de
    70569 Stuttgart, Germany            |    http://www.inside-security.de
    
    
    






    This archive was generated by hypermail 2b30 : Wed Jul 11 2001 - 16:33:53 PDT