When you use IKE instead off Checkpoints FWZ with SecureRemote or SecureClient then it is possible to use a password or certificates to protect your topology download. Jan ---- With regards Jan H. van Gils Internet web-page http://www.Knoware.NL/users/janvg/ Internet e-mail address JanVGat_private RIPE Whois JHG5-RIPE, 6BONE Whois JHG1-6BONE -----Original Message----- From: vuln-dev-return-429-janvg=knoware.nlat_private [mailto:vuln-dev-return-429-janvg=knoware.nlat_private]On Behalf Of Jim Becher Sent: woensdag 18 juli 2001 5:32 To: Haroon Meer; vuln-devat_private Subject: RE: Firewall-1 Information leak As long as we are sharing information leakage stuff for Firewall-1... I wrote something back in 1998 (I think) that would retrieve the interfaces off of a Firewall-1, and write them to a file called ints.<IP address>. I have updated for v4.1. I believe it will retrieve all the interfaces even if topology downloads are restricted to authenticated requests. If any part of the code is well-written, that's the part I ripped from someone else's code. If any part of the code sucks, that's mine. ;) Anyway, the code is located: www.becher.net/~jim/getints.c. -bech -----Original Message----- From: Haroon Meer [mailto:haroonat_private] Sent: Tuesday, July 17, 2001 8:25 PM To: vuln-devat_private Subject: Firewall-1 Information leak Hi. Checkpoint Firewall-1 makes use of a piece of software called SecureRemote to create encrypted sessions between users and FW-1 modules. Before remote users are able to communicate with internal hosts, a network topology of the protected network is downloaded to the client. While newer versions of the FW-1 software have the ability to restrict these downloads to only authenticated sessions, the default setting allows unauthenticated requests to be honoured. This gives a potential attacker a wealth of information including ip addresses, network masks (and even friendly descriptions) The attached file will connect to the firewall, and download the toplogy (if SecureRemote is running) (it is a tiny perl file, which needs only Socket, so avoids the hassle of having to install the SecureRemote client <or booting windows> to test a firewall-1) --snip-- SensePost# perl sr.pl firewall.victim.com Testing on port 256 :val ( :reply ( : (-SensePost-dotcom-.hal9000-19.3.167.186 :type (gateway) :is_fwz (true) :is_isakmp (true) :certificates () :uencapport (2746) :fwver (4.1) :ipaddr (19.3.167.186) :ipmask (255.255.255.255) :resolve_multiple_interfaces () :ifaddrs ( : (16.3.167.186) : (12.20.240.1) : (16.3.170.1) : (29.203.37.97) ) :firewall (installed) :location (external) :keyloc (remote) :userc_crypt_ver (1) :keymanager ( :type (refobj) :refname ("#_-SensePost-dotcom-") ) :name (-SensePost-dotcom-Neo16.3.167.189) :type (gateway) :ipaddr (172.29.0.1) :ipmask (255.255.255.255) ) --snip-- Haroon Meer +27 837866637 haroonat_private http://www.sensepost.com
This archive was generated by hypermail 2b30 : Wed Jul 18 2001 - 15:42:22 PDT