As announced earlier this week, we hereby post the proof of
concept
code for the FireWall-1 RDP Bypass Vulnerability. We think it
doesn't
make sense to withhold it any longer for the following reasons.
1.) This is no "Script-Kiddie" exploit, it will not provide
anyone
with a means to instantly break into foreign hosts.
2.) Any cracker with decent skills and access to a Firewall-1
machine for testing purposes will in the meantime have
developed his/her own code to make use of this vulnerability.
3.) Patches and workarounds have been provided by Checkpoint and
others. This proof of concept code will aid administrators in
testing their systems and the patches/workarounds they
applied.
Some technical notes:
There has been some confusion about the term "RDP". There is
actually
a protocol called "RPD (Reliable Datagram Protocol)" described in
RFC 908, which is directly based on the IP protocol. However
this is
not the same as the proprietary "Checkpoint RDP protocol".
The Checkpoint RDP protocol is basically a UDP service with port
259,
the packets for this service therefore have the following
structure:
#######################
# IP Header #
#######################
# UDP Header #
#######################
# RDP Header #
#######################
# Payload #
#######################
The RDP header simply consists of:
bit 0 31
######################
# RDP Magic Number #
######################
# RDP Command #
######################
or, expressing it in C
struct rdp_hdr
{
unsigned int rdp_magic;
unsigned int rdp_cmd;
} rdp_head;
The value of the RDP Magic Number has turned out to be
irrelevant for
our purposes. The numbers of those RDP commands that will be
permitted
to pass the firewall without further processing follows straight
from
the INSPECT include file $FWDIR/crypt.def.
In our code, we construct packets including IP and UDP header to
allow
testing with arbitrary (spoofed) source IP adresses and ports.
This code has been written and tested on SuSE Linux 7.1 with
kernel 2.4.2. It should (possibly with minor changes) compile on
any other linux platform
Jochen
--
Jochen Bauer | Tel: +49711 6868 7030
Inside Security IT Consulting GmbH | Fax: +49711 6868 7031
Nobelstr. 15 | email:
jtb@inside-security.de
70569 Stuttgart, Germany |
http://www.inside-security.de
{"id": "SECURITYVULNS:DOC:1831", "bulletinFamily": "software", "title": "FW-1 RDP Vulnerability Proof of Concept Code", "description": "\r\nAs announced earlier this week, we hereby post the proof of\r\nconcept \r\ncode for the FireWall-1 RDP Bypass Vulnerability. We think it\r\ndoesn't\r\nmake sense to withhold it any longer for the following reasons.\r\n\r\n1.) This is no "Script-Kiddie" exploit, it will not provide\r\nanyone\r\n with a means to instantly break into foreign hosts.\r\n\r\n2.) Any cracker with decent skills and access to a Firewall-1 \r\n machine for testing purposes will in the meantime have \r\n developed his/her own code to make use of this vulnerability.\r\n\r\n3.) Patches and workarounds have been provided by Checkpoint and\r\n others. This proof of concept code will aid administrators in\r\n testing their systems and the patches/workarounds they\r\napplied. \r\n\r\n\r\nSome technical notes:\r\n\r\nThere has been some confusion about the term "RDP". There is\r\nactually\r\na protocol called "RPD (Reliable Datagram Protocol)" described in\r\nRFC 908, which is directly based on the IP protocol. However\r\nthis is \r\nnot the same as the proprietary "Checkpoint RDP protocol".\r\n\r\nThe Checkpoint RDP protocol is basically a UDP service with port\r\n259,\r\nthe packets for this service therefore have the following\r\nstructure:\r\n\r\n #######################\r\n # IP Header #\r\n #######################\r\n # UDP Header #\r\n #######################\r\n # RDP Header #\r\n #######################\r\n # Payload #\r\n #######################\r\n \r\nThe RDP header simply consists of:\r\n \r\n bit 0 31\r\n ######################\r\n # RDP Magic Number #\r\n ###################### \r\n # RDP Command #\r\n ######################\r\n\r\nor, expressing it in C\r\n \r\nstruct rdp_hdr\r\n {\r\n unsigned int rdp_magic; \r\n unsigned int rdp_cmd;\r\n } rdp_head;\r\n\r\nThe value of the RDP Magic Number has turned out to be\r\nirrelevant for\r\nour purposes. The numbers of those RDP commands that will be\r\npermitted \r\nto pass the firewall without further processing follows straight\r\nfrom \r\nthe INSPECT include file $FWDIR/crypt.def.\r\n\r\nIn our code, we construct packets including IP and UDP header to\r\nallow \r\ntesting with arbitrary (spoofed) source IP adresses and ports. \r\n \r\nThis code has been written and tested on SuSE Linux 7.1 with \r\nkernel 2.4.2. It should (possibly with minor changes) compile on\r\nany other linux platform\r\n\r\nJochen\r\n\r\n-- \r\nJochen Bauer | Tel: +49711 6868 7030 \r\nInside Security IT Consulting GmbH | Fax: +49711 6868 7031\r\nNobelstr. 15 | email:\r\njtb@inside-security.de\r\n70569 Stuttgart, Germany | \r\nhttp://www.inside-security.de", "published": "2001-07-14T00:00:00", "modified": "2001-07-14T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:1831", "reporter": "Securityvulns", "references": [], "cvelist": [], "type": "securityvulns", "lastseen": "2018-08-31T11:10:04", "edition": 1, "viewCount": 3, "enchantments": {"score": {"value": 1.7, "vector": "NONE"}, "dependencies": {"references": [{"type": "securityvulns", "idList": ["SECURITYVULNS:VULN:1313"]}], "rev": 4}, "backreferences": {"references": [{"type": "securityvulns", "idList": ["SECURITYVULNS:VULN:1313"]}]}, "exploitation": null, "vulnersScore": 1.7}, "affectedSoftware": [], "immutableFields": [], "cvss2": {}, "cvss3": {}, "_state": {"dependencies": 1645664215}}