发布时间 :2000-02-12 00:00:00
修订时间 :2008-09-10 15:03:06

[原文]Check Point Firewall-1 allows remote attackers to bypass port access restrictions on an FTP server by forcing it to send malicious packets that Firewall-1 misinterprets as a valid 227 response to a client's PASV attempt.


        Check Point Firewall-1 存在漏洞。远程攻击者通过强迫FTP服务器发送恶意数据包绕过端口访问限制,Firewall-1将此数据包曲解为客户端PASV尝试的有效227响应。

- CVSS (基础分值)

CVSS分值: 7.5 [严重(HIGH)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: PARTIAL [可能会导致系统文件被修改]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/a:checkpoint:firewall-1:4.0Checkpoint Firewall-1 4.0
cpe:/a:checkpoint:firewall-1:3.0Checkpoint Firewall-1 3.0

- OVAL (用于检测的技术细节)


- 官方数据库链接
(官方数据源) MITRE
(官方数据源) NVD
(官方数据源) CNNVD

- 其它链接及资源

- 漏洞信息

高危 设计错误
2000-02-12 00:00:00 2006-11-16 00:00:00
        Check Point Firewall-1 存在漏洞。远程攻击者通过强迫FTP服务器发送恶意数据包绕过端口访问限制,Firewall-1将此数据包曲解为客户端PASV尝试的有效227响应。

- 公告与补丁

        A suitable solution may be to remove handling of PASV ftp. This can be accomplished via the FireWall-1 GUI. In addition, on a properly secured machine with no services other than FTP running, this attack has little impact.
        Users running FW-1 3.0 should upgrade immediately.
        Checkpoint issued the following statement, available at:
        "It has been brought to Check Point's attention that a possible vulnerability exists in the control of PASV (passive) FTP connections through FireWall-1. This was developed in a lab environment and requires a specific set of conditions to have existed, in order to suceed. Check Point has no knowledge of its being used against production environments.
        Summary of vulnerability:
        FireWall-1's parsing of the FTP control connection was manipulated via MTU such that a FTP server PASV port number, as processed by FireWall-1, was associated with the port number of a service with a known security issue (in this case, ToolTalk port vulnerability on a un-patched Solaris 2.6 system). This enabled the client to exploit the server's vulnerability (i.e., an in.ftpd that returned client-controlled data in an error message and running a possibly unnecessary service: ToolTalk) to gain root access on the machine. This vulnerability was reported to BugTrag on Wednesday, February 9th by John MacDonald of DataProtect.
        Minimizing the possible threat:
        - Do not enable PASV FTP if not needed.
        - Use the FTP Security Server or HTTP security server for PASV FTP connections to internal FTP servers.
        - Those running publicly accessible FTP servers should follow good host security practices (e.g., not running additional, possibly unnecessary and vulnerable services, keeping up with OS and/or application patches).
        - For those using stateful inspection of passive FTP, the following patch has been supplied.
        The patch consists of a new $FWDIR/lib/base.def file that includes a fix to the problem (the file is compatible with Firewall-1 4.0 SP-5, other platforms will be released as soon as possible). The fix involves an enforcement on the existence of the newline character at the end of each packet on the FTP control connection, this will close off the described vulnerability. It should be noted that this may cause connectivity problems (i.e., blocked FTP connections) in the following scenarios:
        1. If FTP control messages larger than the MTU (e.g., large
        PWD) are exchanged.
        2. If some FTP clients/servers does not put newline at the end
        of the line.
        3. When passing FWZ encrypted traffic through an
        intermediate Firewall gateway.
         The enforcement can be easily disabled by commenting the following line in the base.def file (or by restoring the original base.def file):
        #define FTP_ENFORCE_NL"
        Checkpoint made further information available:
         If a FireWall-1 site does inbound PASV FTP access to one or more servers, the following security control options have been made available, in either Service Pack 6 for FireWall-1 4.0 users or Hot Fix 1 for FireWall-1 4.1 Service Pack 1 users:
        o FireWall-1 kernel code change that enforces all "227 PASV" replies are bounded by a ()/n.
        o Inspect code fix as previously posted in Check Point's original response
        o An enhancement to the FTP Security Server that can disallow administrator defined FTP control commands.
        The kernel and Inspect code changes are enabled by default in the Service Pack or Hot Fix. Although highly dependent on the local connectivity requirements and implementation, the following general guidelines for inbound FTP using PASV are recommended by Check Point:
        o For those customers allowing FTP writes to their server AND the FTP server in use implements the STAT command (i.e., cannot be turned off), it is recommended that inbound FTP traffic to that server(s) be directed through the FTP Security Server with the Security Server configured to disallow STAT commands (the default).
        o For those customers allowing FTP reads only, or running writeable FTP servers where the FTP STAT command is disabled: either the kernel/INSPECT options only or in combination with the FTP security server can be used.
        Cisco has made patches available to all customers. The details of these fixes are contained in a Cisco advisory listed under 'Credit'. These fixes are available at
        Pix 5.1 is not susceptible to this problem.
        Check Point Software Firewall-1 4.0

- 漏洞信息

Check Point FireWall-1 FTP PASV Bypass
Remote / Network Access Input Manipulation
Loss of Confidentiality, Loss of Integrity
Exploit Public

- 漏洞描述

Check Point FireWall-1 contains a flaw that may allow a remote attacker to bypass the declared rules and access protected resources. The issue is due to the FTP PASV command not properly handling 227 requests for connecting to a new resource. If an attacker manipulates the FTP session so that the 227 request is in the four bytes in a packet that belongs to a FTP control connection, the firewall will allow connections to arbitrary resources, even if normally protected.

- 时间线

2000-02-09 Unknow
2000-02-09 Unknow

- 解决方案

Currently, there are no known workarounds or upgrades to correct this issue. However, Check Point has released a patch to address this vulnerability.

- 相关参考

- 漏洞作者