[15854] in bugtraq
Re: CheckPoint FW1 BUG
daemon@ATHENA.MIT.EDU (Benjamin Smee)
Wed Jul 19 12:37:54 2000
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-Id: <39755272.479ED5BB@one.net.au>
Date: Wed, 19 Jul 2000 17:02:10 +1000
Reply-To: ben.smee@one.net.au
From: Benjamin Smee <ben.smee@ONE.NET.AU>
X-To: sinster@DARKWATER.COM
To: BUGTRAQ@SECURITYFOCUS.COM
Heya,
I just wanted to clarify this thread. Checkpoint Firewall 1 does NOT
require RPC's to be enabled. In fact it does not require much as I have
setup Checkpoint version 3.x(older version admitedly) to run without
anything but a TCP/IP stack effectively. So while theoretically true
that it MIGHT have required something, the reality is that it does not.
thanks
"Jon Paul, Nollmann" wrote:
>
> Sprach Hugo.van.der.Kooij@CAIW.NL:
> > FW-1 does not use RPC itself at all. I've seen a couple of dozen of
> > installations of FW-1 on just about any platform (besides Linux at present
> > ;-) an know it runs on very bare systems.
>
> Please. You answered your own question: you don't know FW-1 on NT. It
> is very feasible that FW-1 would use RPC on an NT box. For instance:
> MS OLE is dependant on RPC. So if FW-1 uses OLE, it's dependant on RPC.
> Does it support drag-and-drop? Then it probably uses OLE.
>
> I don't know FW-1 on NT either, but I've done a lot more debugging under
> NT than I care to admit, I've stumbled over a large number of these
> undocumented (or poorly documented) gotchas on NT that reach up and
> bite the unwary programmer. A naive port of a *NIX application to
> NT will bring in all sorts of unintended dependancies that may very
> well be wholly inappropriate. Hell, a naive implementation of a new
> program under NT will do the same.
>
> The thought that Checkpoint's translation of FW-1 over to NT has caused
> it to become dependant on RPC without having a single call to any
> RPC routine in their code is entirely credible to me. I'm sure that's
> just the tip of the set of unintended dependancies that it has.
>
> The only reason I was able to find out about this OLE/RPC dependancy
> is through sheer luck (I dunno if it's bad luck or good luck). I had
> written a program for a client. One of their clients was encountering
> a bug with my program. I and my client couldn't reproduce the bug.
> The client flew a machine out, and on that machine we could reproduce
> the bug. Examining the machine's configuration, we were able to build
> another machine where we could also reproduce the bug. After much
> effort, we found sockets leaking from Microsoft's OLE library. My
> client's pitiful little GOLD support contract wasn't sufficient for
> Microsoft to do anything about it. They (Microsoft) strongly asserted
> that it was our bug. Only through the channels opened by my client's
> client's superior support contract (would you call that a "platinum"
> contract or something?) was Microsoft willing to acknowledge the bug
> and offer a workaround. The workaround was to tweak the RPC controls
> in the registry. I expressed surprise at this, and Microsoft
> explained that their OLE library is built on RPC. Sure enough, when
> we made the tweak, the bug disappeared.
>
> So, unless Checkpoint has this mythical platinum support contract,
> they probably don't know about this bug. And I'm sure there are other
> problems as well.
>
> --
> Jon Paul Nollmann ne' Darren Senn sinster@balltech.net
> Unsolicited commercial email will be archived at $1/byte/day.
> Congratulations FBI men: Hoover would be proud of you
--
Benjamin Smee
ben.smee@one.net.au or ben.smee@onetel.com.au
308440@pager.link.com.au
+61-2-95139346
