There is a bug in how the desktop GUI for managing a CheckPoint firewall handles log viewer saves. Regardless of the type of user defined for GUI access, the user can save the file to any directory they wish as well as a few other things. This has been verified from ver. 3.0b through ver. 4.1 SP2. The vendor was contacted on January 30, 2001 and responded on February 1, 2001 that they were looking into it. They have not responded to any emails since then in an attempt to get status information with regards to this bug. I have since then verified that ver. 4.1 SP3 also contains the bug. Below in dashes is contents of the email sent to the vendor: -------------------------------------------------- Check Point Firewall-1 ver. 3.0b through 4.1 SP2 on the Solaris 2.6-2.7 (latest patches) platform BUG found on 01/26/01 by Alan Darien, SecureTrendz, Inc. Product: Check Point Firewall-1 ver. 3.0b through 4.1 SP2 Platform: Sun Microsystem Ultra-2 Operating System: Solaris 2.6 and Solaris 2.7 with latest patches I have found a bug that exists in all versions of Check Point Firewall. I have verified it in ver. 3.0b, ver. 4.0 and ver. 4.1 with SP2. The bug is local to the firewalled workstation. Description: As a remote administrative user with write privileges of the Firewall using the remote GUI-client Log Viewer application, I can cause potential DoS actions. I can create and overwrite any file anywhere on the system except the active log file (fw.log). Under Firewall ver. 3.0b and ver. 4.0, I can also do this with Monitor, Read-Only and User-Edit privileges. I must log onto the GUI with a given user id but the process is actually run as the root user on the firewalled system. Examples: 1. As a firewall administrator with no login access to the firewall management station (which can be the same as the firewall server), I can use the GUI-client to create or overwrite a file by launching the Log Viewer and saving my selection under File->Save As. I am not prevented from inputting a saved location such as: /etc/shadow. Nor am I prompted that the file may already exist and do I want to overwrite it IF I save to a directory other than /etc/fw/log. In the above case, a file will be created on the firewall management station as /etc/shadow.log. NOTE: The ".log" extension is automatically appended to the saved file. Because of this, I can corrupt certain log files (i.e. vold.log, I know…BFD!) and any other log files that may have been defined by the system administrative team that ends in ".log". This assumes that I know of those files. a) Launch the firewall GUI-client and open the Log viewer. b) Save the selection (can narrow the selection if you wish) as /var/adm/vold c) Now see that I have created (or overwritten) a /var/adm/vold.log file, with a file of type "data" d) By doing the above with a large log file, a smaller filesystem can be filled up as well e) Or I can overwrite exported log files as well As I will show in the next example, it can get worse. 2. As a firewall administrator with non-root login access to the firewall management station (which can be the same as the firewall server), I can use the GUI-client to create or overwrite a file by launching the Log Viewer and saving my selection under File->Save As. Again, I am not prompted that the file exists if I save to another directory than /etc/fw/log. Now, it gets a worse. As a user with non-root login access I can go to /tmp and create a link file such as: a) ln -s /.rhosts /tmp/trythis.log b) Launch the firewall GUI-client and open the Log viewer. c) Save the selection (can narrow the selection if you wish) as /tmp/trythis d) Now see that I have created a /.rhosts file, allbeit a file of type "data" e) Now create another link: ln -s /etc/shadow /tmp/trythis.log f) Repeat steps b-c g) Now see that I have overwritten the /etc/shadow file with data, can we say DoS to system administrators The system administrators are forced to boot to CD-Rom and fix the password files. Fixes: 1. Prevent the use of "/" absolute directory input in the File-> Save As option. This forces all saves to the default location only. This is actually what you do for saves from the Policy Editor, so you already have the code for checking for this in-house. 2. Prevent the ability to overwrite any existing files. At the least there should always be a prompt if the file already exists and this will prevent files from being overwritten as well as any link files that may already exist. 3. Upgrade to ver. 4.1 SP2 and only give Firewall GUI access to administrators who also have superuser access to the firewalled operating system. -------------------------------------------------- As I mentioned above, ver. 4.1 SP3 also contains the bug. So upgrading won't fix it BUT is still good to do to stay current. - Alan Darien
This archive was generated by hypermail 2b30 : Sat Sep 08 2001 - 00:57:42 PDT