FW-1 RDP Vulnerability Proof of Concept Code

From: Jochen Bauer (jtb@inside-security.de)
Date: Fri Jul 13 2001 - 08:49:00 PDT

Next message: qDefense Advisories: "Interactive Story File Disclosure Vulnerability"

Previous message: Dennis W. Mattison: "Re: [COVERT-2001-04] Vulnerability in Oracle 8i TNS Listener"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

As announced earlier this week, we hereby post the proof of concept 
code for the FireWall-1 RDP Bypass Vulnerability. We think it doesn't
make sense to withhold it any longer for the following reasons.

1.) This is no "Script-Kiddie" exploit, it will not provide anyone
    with a means to instantly break into foreign hosts.

2.) Any cracker with decent skills and access to a Firewall-1 
    machine for testing purposes will in the meantime have 
    developed his/her own code to make use of this vulnerability.

3.) Patches and workarounds have been provided by Checkpoint and
    others. This proof of concept code will aid administrators in
    testing their systems and the patches/workarounds they applied.  


Some technical notes:

There has been some confusion about the term "RDP". There is actually
a protocol called "RPD (Reliable Datagram Protocol)" described in
RFC 908, which is directly based on the IP protocol. However this is 
not the same as the proprietary "Checkpoint RDP protocol".

The Checkpoint RDP protocol is basically a UDP service with port 259,
the packets for this service therefore have the following structure:

                      #######################
                      #     IP Header       #
                      #######################
                      #    UDP Header       #
                      #######################
                      #    RDP Header       #
                      #######################
                      #      Payload        #
                      #######################
  
The RDP header simply consists of:
                      
                  bit 0                    31
                      ######################
                      #  RDP Magic Number  #
                      ###################### 
                      #    RDP Command     #
                      ######################

or, expressing it in C
   
struct rdp_hdr
 {
  unsigned int rdp_magic;  
  unsigned int rdp_cmd;
 } rdp_head;

The value of the RDP Magic Number has turned out to be irrelevant for
our purposes. The numbers of those RDP commands that will be permitted 
to pass the firewall without further processing follows straight from 
the INSPECT include file $FWDIR/crypt.def.

In our code, we construct packets including IP and UDP header to allow 
testing with arbitrary (spoofed) source IP adresses and ports.  
 
This code has been written and tested on SuSE Linux 7.1 with 
kernel 2.4.2. It should (possibly with minor changes) compile on
any other linux platform

Jochen

-- 
Jochen Bauer                        |    Tel: +49711 6868 7030 
Inside Security IT Consulting GmbH  |    Fax: +49711 6868 7031
Nobelstr. 15                        |    email: jtb@inside-security.de
70569 Stuttgart, Germany            |    http://www.inside-security.de

text/plain attachment: fw1_bypass_rdp.c

Next message: qDefense Advisories: "Interactive Story File Disclosure Vulnerability"
Previous message: Dennis W. Mattison: "Re: [COVERT-2001-04] Vulnerability in Oracle 8i TNS Listener"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Jul 13 2001 - 16:56:45 PDT