[15809] in bugtraq
Re: CheckPoint FW1 BUG
daemon@ATHENA.MIT.EDU (uh Clem)
Mon Jul 17 15:35:26 2000
Mime-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Message-Id: <Pine.BSO.4.21.0007141329370.16902-100000@pr0n.newhackcity.net>
Date: Fri, 14 Jul 2000 13:56:23 -0700
Reply-To: uh Clem <syke@NEWHACKCITY.NET>
From: uh Clem <syke@NEWHACKCITY.NET>
X-To: Hugo.van.der.Kooij@caiw.nl
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <Pine.LNX.4.10.10007142206490.5066-100000@bastion.hugo.vanderkooij.org>
On Fri, 14 Jul 2000 Hugo.van.der.Kooij@caiw.nl wrote:
> The first thing to do is to strip the host the FW-1 software is to be
> installed on. Securing the OS before even starting to install the firewall
> is essential.
When the firewall itself is dependant upon service being active, this is
somewhat difficult. See below.
> After installation you should secure the FW-1 software from any access to
> the machine you don't explicitly want. Always pay attention to the implied
> rules which can be made visible and should be thoroughly checked.
One of the other things we observed was the extremely poor state of
permissions that Firewall-1's installation leaves things in. As far as I
could tell, there was no option to run the firewall services as an
alternate user besides SYSTEM. Some would argue this is necessary, but it
really isn't; NT provides well documented APIs for adding specific
priviledges to a given user's token. These kind of mistakes are generally
present in win32 software written by people who haven't bothered to learn
the platform.
> However it is quite unclear why accessing a port would cause a firewall
> process to 100%. But FW-1 v4.0 SP4 is NOT certified for NT 4.0 SP6a and it
> is recommended you upgrade to FW-1 v4.0 SP6 asap.
Ports 1030-103x are where registered RPC services are listening, much like
32767-328xx on Solaris. The ports are assigned by the RPC mapper (port 135
on NT, port 111 on Solaris) in the order the RPC services are
started. What I think is happening here is that the firewall-1 service in
question is running as an RPC service (frightening, eh?) and only expects
local connections.
ttyl
