ID CVE-2000-0813 Type cve Reporter NVD Modified 2017-10-09T21:29:18
Description
Check Point VPN-1/FireWall-1 4.1 and earlier allows remote attackers to redirect FTP connections to other servers ("FTP Bounce") via invalid FTP commands that are processed improperly by FireWall-1, aka "FTP Connection Enforcement Bypass."
{"osvdb": [{"lastseen": "2017-04-28T13:19:59", "bulletinFamily": "software", "description": "## Vulnerability Description\nCheck Point FireWall-1 contains a flaw that may allow a remote attacker to redirect connections through vulnerable FTP servers via a \"bounce\" attack. By using the PORT command, attackers can open connections to arbitrary resources normally protected by the firewall. \n## Solution Description\nUpgrade to version 4.0 SP7, 4.1 SP2, or higher, as it has been reported to fix this vulnerability. It is also possible to correct the flaw by implementing the \nfollowing workaround: Configure the FTP server to be read only.\n## Short Description\nCheck Point FireWall-1 contains a flaw that may allow a remote attacker to redirect connections through vulnerable FTP servers via a \"bounce\" attack. By using the PORT command, attackers can open connections to arbitrary resources normally protected by the firewall. \n## References:\n[Vendor Specific Advisory URL](http://www.checkpoint.com/techsupport/alerts/list_vun.html#FTP_Connection)\nOther Advisory URL: http://www.iss.net/xforce/alerts/id/advise62\nKeyword: FTP bounce attack\nISS X-Force ID: 5474\nGeneric Informational URL: http://www.cert.org/tech_tips/ftp_port_attacks.html\n[CVE-2000-0813](https://vulners.com/cve/CVE-2000-0813)\nCIAC Advisory: k-073\nCERT: CA-1997-27\n", "modified": "2000-07-26T00:00:00", "published": "2000-07-26T00:00:00", "href": "https://vulners.com/osvdb/OSVDB:4434", "id": "OSVDB:4434", "type": "osvdb", "title": "Check Point FireWall-1 FTP Redirect Bypass", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}], "securityvulns": [{"lastseen": "2018-08-31T11:10:03", "bulletinFamily": "software", "description": "\r\nTO UNSUBSCRIBE: email "unsubscribe alert" in the body of your message to\r\nmajordomo@iss.net Contact alert-owner@iss.net for help with any problems!\r\n---------------------------------------------------------------------------\r\n\r\n-----BEGIN PGP SIGNED MESSAGE-----\r\n\r\nInternet Security Systems Security Alert\r\nSeptember 27th, 2000\r\n\r\n\r\nMultiple vulnerabilities on all platforms and versions of Check Point \r\nFireWall-1\r\n\r\n\r\nSynopsis:\r\n\r\nOn July 26th, Thomas Lopatic, John McDonald, and Dug Song released \r\nvulnerability information at the Black Hat 2000 briefings that exposed the\r\nfollowing security holes in Check Point FireWall-1:\r\n\r\n1. One-way Connection Enforcement Bypass\r\n2. Improper stderr Handling for RSH/REXEC\r\n3. FTP Connection Enforcement Bypass\r\n4. Retransmission of Encapsulated Packets\r\n5. FWA1 Authentication Mechanism Hole\r\n6. OPSEC Authentication Spoof\r\n7. S/Key Password Authentication Brute Force Vulnerability\r\n8. GetKey Buffer Overflow\r\n\r\n\r\nDetails:\r\n\r\n1. One-way Connection Enforcement Bypass \r\nAny source from any security region passing the rule-base may be able to make\r\nunauthorized connections through the firewall that would otherwise be blocked\r\nby this additional security layer of FireWall-1. By using specially\r\nfragmented\r\nTCP connection requests or by closing and re-opening one-way TCP connections\r\nin conjunction with certain complex multi-connection protocols, an attacker\r\ncan bypass the directionality check.\r\n\r\nAll implementations of Check Point FireWall-1 prior to the new service packs\r\nthat allow protocols employing unidirectional data flow connections (such as\r\nFTP and RSH STDERR) are vulnerable.\r\n\r\n\r\n2. Improper stderr Handling for RSH/REXEC\r\nA malicious external source can open an unauthorized connection to an\r\ninternal\r\nprotected RSH/REXEC client by sending specially formatted stderr connection\r\nrequests (as an RSH/REXEC server) to the client. These connection attempts\r\nare mishandled by FireWall-1 and are allowed through, giving connection\r\naccess for possible exploitation.\r\n\r\nThis attack may lead to a compromise of integrity, including relay access on\r\ntargeted machines, by taking advantage of the connected service.\r\n\r\nAll implementations of Check Point FireWall-1 prior to the new service packs\r\nthat have explicitly enabled the VPN-1/FireWall-1 RSH/REXEC property are \r\nvulnerable.\r\n\r\n\r\n3. FTP Connection Enforcement Bypass\r\nA malicious source can use this vulnerability to redirect connections to\r\nother\r\nsystems accessible to the FTP server "bounced" off of. By exploiting the\r\nstandard "FTP Bounce" attack, while advertising a small maximal segment\r\nsize (server replies being split) in PASV handling of FTP, an attacker can\r\nsuccessfully "bounce" connections off the available FTP server through the\r\nFireWall-1 daemon. This form of exploit is often used as a form of IP\r\nspoofing to obscure the source of an attack to other targets, and as a way to\r\ngain access to assets that are accessible, passing the rule-base, to the \r\ntargeted FTP server. \r\n\r\nAll implementations of Check Point FireWall-1 prior to the new service packs\r\nthat have "FTP bounce" vulnerable FTP servers available for inbound\r\nconnection\r\nwith write access and do not have the latest service packs or patches to this\r\nvulnerability are susceptible to this attack.\r\n\r\n\r\n4. Retransmission of Encapsulated Packets\r\nAny source may be able to send packets that pass normal rule-based and\r\nanti-spoofing checks, if setup and enabled, through the firewall without\r\nbeing\r\nan FWZ client. By sending a payload of specially encapsulated FWZ packets\r\nthat\r\nmatch a rule in the FireWall-1 rule base, a malicious source can effectively\r\nspoof through the firewall as a FWZ client. \r\n\r\nAll versions and implementations of Check Point FireWall-1 prior to the new \r\nservice packs are vulnerable.\r\n\r\n\r\n5. FWA1 Authentication Mechanism Hole\r\nAn attacker may successfully compromise the authentication mechanism (but not\r\ncompromise the connection encryption thereafter), and possibly flood the\r\nmechanism with successful authentications, theoretically denying service.\r\n\r\nAs part of the FWA1 authentication, the server starts by sending the client\r\na \r\nrandom number and a hash of the random number plus the shared secret key. \r\nThe\r\nclient is then required to send the server a different random number and a\r\nhash\r\nof the random number sent by the server, XORed with the client's random\r\nnumber's power, plus the secret key. By using 0 as the client's random\r\nnumber,\r\na malicious attacker can subvert authentication (since the server's random\r\nnumber XORed with zero will equal itself and therefore produce the same hash\r\nsent to the server in the first step of the protocol). Although this\r\nsubverts\r\nauthentication, it doesn't expose the secret key and therefore prevents\r\nfurther\r\ntransmission.\r\n\r\nAll implementations prior to the new service packs, having rules that allow\r\ncontrol connections from un-trusted sources or users. In version 4.1, by\r\ndefault, FW-1 control connections are allowed only from systems defined as\r\nhaving FireWall-1 installed on them. \r\n\r\n\r\n6. OPSEC Authentication Spoof\r\nA remote attacker can effectively authenticate to any OPSEC channel that it\r\nis\r\nallowed to communicate with under the rules base, giving full access to any\r\nservices allowed therein.\r\n\r\nFor authentication, the OPSEC protocol sends a random number and a hash of\r\nthe\r\nrandom number plus the shared secret key to the client. The client is then\r\nexpected to verify the key by adding the random number to the previously\r\nknown\r\nsecret key, performing the same hash, and comparing it to the one received.\r\nThe\r\nclient then authenticates by sending what is assumed to be a different random\r\nnumber, in addition to their own hash of the secret key plus their random\r\nnumber. The server then performs the same verification, successfully\r\nauthenticating the client's knowledge of the secret key and granting access.\r\nTo compromise this authentication, an attacker initiates a connection,\r\nreceiving the initial random number and hash from the server. The\r\nauthentication process of the server is skipped, because the secret key is\r\nunknown, and the messages are replayed back to the server. The server does\r\nnot\r\nverify if the random number chosen by the client is different and\r\nauthenticates\r\nthe previously sent message successfully, granting access to the malicious\r\nuser.\r\n\r\nAll implementations of Check Point FireWall-1 prior to the new service packs\r\nand those that don't constrain OPSEC communication to specifically trusted\r\nsource/destinations pairs via the rule base are vulnerable to this attack. \r\n\r\n\r\n7. S/Key Password Authentication Brute Force Vulnerability\r\nAn attacker can use this vulnerability to gain user intermodule access\r\nthrough\r\nVPN-1 or any other access vector using this authentication in FireWall-1. As\r\npart of the FireWall-1 S/Key authentication protocol, an index number is sent\r\nto the client. The client then authenticates by sending the secret key,\r\nhashed\r\nthe index number of times, back to the server. By utilizing brute force\r\ntechniques, an attacker could determine the secret key by intelligently\r\ntrying\r\nall possible secret keys in the given keyspace. Upon determining the secret\r\nkey, the attacker will also gain authentication to all available assets.\r\n\r\nAll implementations of Check Point FireWall-1 prior to the new service packs\r\nand\r\nthose that use S/Key for inter-module authentication are vulnerable. Note\r\nthat\r\nall 4.1 installations use FWA1 by default and are therefore not vulnerable\r\nunless the administrator specifically weakened the inter-module\r\nauthentication mechanism from FWA1 to S/Key.\r\n\r\n\r\n8. GetKey Buffer Overflow\r\nAn attacker can use this vulnerability to terminate the firewall daemon,\r\nleaving\r\nthe current policy intact. This represents a possible threat of integrity\r\ncompromise to all assets available via policy that would otherwise not be\r\navailable given other checks and services available with the firewall daemon\r\nactively running. Due to insufficient bounds checking and handling in the\r\nintermodule communication protocol, specifically within the GetKey procedure,\r\nan attacker can exploit this vulnerability by sending a specially-crafted\r\ninstruction to overflow the buffer and cause the firewall daemon to\r\nterminate,\r\nleaving policy enforcement operational.\r\n\r\nAll implementations of Check Point FireWall-1 prior to the new service packs\r\nor patches to this vulnerability are vulnerable.\r\n\r\nAffected Platforms:\r\n\r\nAll platforms on which Check Point's FireWall-1 product is available are\r\nvulnerable to these attacks. They are platform independent, existing\r\ncompletely\r\nwithin the FireWall-1 application.\r\n\r\nRecommendations:\r\n\r\nCheck Point has released service packs VPN-1/FireWall-1 4.0 SP7 and\r\nVPN-1/FireWall-1 4.1 SP2 that eliminate each of these vulnerabilities. For\r\nVPN-1 Appliances (IPSO) running version 4.0, the service pack is version 4.0\r\nSP5 Hotfix.\r\n \r\nService Pack information, download access, and a description of how these\r\nvulnerabilities are addressed can be accessed at: \r\nhttp://www.checkpoint.com/techsupport/alerts\r\n\r\nThe ISS X-Force will provide additional functionality to detect these\r\nvulnerabilities in upcoming X-Press Updates for Internet Scanner and\r\nRealSecure.\r\n\r\nAdditional Information:\r\n\r\nSupplemental technical notes on these vulnerabilities are available at:\r\nhttp://www.dataprotect.com/bh2000/blackhat-fw1.html\r\n\r\nThe Common Vulnerabilities and Exposures (CVE) project has assigned the \r\nfollowing names to these issues. These are candidates for inclusion in the\r\nCVE list (http://cve.mitre.org), which standardizes names for security\r\nproblems.\r\n\r\nCAN-2000-0804 One-way Connection Enforcement Bypass\r\nCAN-2000-0779 Improper stderr Handling for RSH/REXEC\r\nCAN-2000-0813 FTP Connection Enforcement Bypass\r\nCAN-2000-0805 Retransmission of Encapsulated Packets\r\nCAN-2000-0806 FWA1 Authentication Mechanism Hole\r\nCAN-2000-0807 OPSEC Authentication Spoof\r\nCAN-2000-0808 S/Key Password Authentication Brute Force Vulnerability\r\nCAN-2000-0809 GetKey Buffer Overflow\r\n\r\n\r\n______ \r\n\r\nAbout Internet Security Systems (ISS) \r\nInternet Security Systems (ISS) is a leading global provider of security\r\nmanagement solutions for the Internet. By providing industry-leading\r\nSAFEsuite\r\nsecurity software, remote managed security services, and strategic consulting\r\nand education offerings, ISS is a trusted security provider to its customers,\r\nprotecting digital assets and ensuring safe and uninterrupted e-business.\r\nISS' security management solutions protect more than 5,500 customers\r\nworldwide\r\nincluding 21 of the 25 largest U.S. commercial banks, 10 of the largest\r\ntelecommunications companies and over 35 government agencies. Founded in\r\n1994, ISS is headquartered in Atlanta, GA, with additional offices\r\nthroughout North America and international operations in Asia, Australia,\r\nEurope, Latin America and the Middle East. For more information, visit the\r\nInternet Security Systems web site at www.iss.net or call 888-901-7477. \r\n\r\nCopyright (c) 2000 Internet Security Systems, Inc. \r\n\r\nPermission is hereby granted for the redistribution of this Alert\r\nelectronically. It is not to be edited in any way without express consent\r\nof the X-Force. If you wish to reprint the whole or any part of this Alert\r\nin any other medium excluding electronic medium, please e-mail xforce@iss.net\r\n<mailto:xforce@iss.net> for permission. \r\n\r\nDisclaimer \r\nThe information within this paper may change without notice. Use of this \r\ninformation constitutes acceptance for use in an AS IS condition. There are\r\nNO warranties with regard to this information. In no events shall the author\r\nbe liable for any damages whatsoever arising out of or in connection with\r\nthe use or spread of this information. Any use of this information is at\r\nthe user's own risk. \r\n\r\n\r\n\r\n-----BEGIN PGP SIGNATURE-----\r\nVersion: 2.6.3a\r\nCharset: noconv\r\n\r\niQCVAwUBOdJQsDRfJiV99eG9AQGQiQQAopmqRgya3aUWYWmlhGpij4SOtHuiVcI+\r\nPADRttRWykRPrh5qy8PE3kRJYGWMTuzpscV0tP8f66v+rOD03MWlg+N3YILiYMml\r\nXzU7a1kuEB6cUX1A9BFTtPa68SwaW+fP+8NyY1KdQtA5ZpN2iD0FoBhkh6cJxvMT\r\nDmTk+IGiN0w=\r\n=cbAB\r\n-----END PGP SIGNATURE-----\r\n", "modified": "2000-09-28T00:00:00", "published": "2000-09-28T00:00:00", "id": "SECURITYVULNS:DOC:721", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:721", "title": "ISSalert: ISS Security Alert: Multiple vulnerabilities on all platforms and versions of Check Point FireWall-1", "type": "securityvulns", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}]}
