[15680] in bugtraq
Re: CheckPoint FW1 BUG (fwd)
daemon@ATHENA.MIT.EDU (Ben Greenbaum)
Fri Jul 7 15:57:45 2000
Mime-Version: 1.0
Content-Type: TEXT/PLAIN; charset=X-UNKNOWN
Message-Id: <Pine.GSO.4.21.0007070909001.16655-100000@mail>
Date: Fri, 7 Jul 2000 09:15:33 -0700
Reply-To: Ben Greenbaum <bgreenbaum@SECURITYFOCUS.COM>
From: Ben Greenbaum <bgreenbaum@SECURITYFOCUS.COM>
To: BUGTRAQ@SECURITYFOCUS.COM
Content-Transfer-Encoding: 8bit
Forwarded to Bugtraq with permission of the author. Checkpoint has been
notified by Mr. Vasquez.
Can anyone else replicate this?
Ben Greenbaum
Director of Site Content
Security Focus
http://www.securityfocus.com
---------- Forwarded message ----------
Date: Fri, 7 Jul 2000 12:20:17 +0200
From: hugov <Hugo.Vazquez@add.es>
Subject: RE: CheckPoint FW1 BUG
Dear Sirs,
I think I have found a bug in CheckPoint Firewall-1.
That´s what I have noticed :
If you flood port 264 ( FW1_topo ) from your local network, the Firewall-1
CPU reaches 100% and nobody can connect with GUI ( neither on the firewall
itself ).
The test has been done on a local 10 MB Ethernet against a PII 266 256 MB,
FW1 4.1 SP1 in a NT 4.0 SP4 with the ippacket software and spoofing the
source IP, and that´s the packet sent :
destination IP : Firewall (external interface)
source IP : non existent IP ( on local net )
source port : 1000
destination port : 264
data : qwertyuiop1010101010
number of packets : -1 ( continuos mode )
Due to the importance of this port ( 264 ) in Securemote, etc... I think
It would be interesting to investigate how much this attack could danger
the system ( memory ) and comunications (smtp, VPN , Securemote...).
I have not tested from the Internet.
Sincerely,
--
Hugo Vázquez Caramés
Departamento Técnico de Sistemas
Seguridad Corporativa - Grupo ADD
mailto:Hugo.Vazquez@add.es
Tel. +34.93.580.25.00
Fax. +34.93.580.28.93
