On Mon, 24 Jul 2006, Sec-Tec Lists wrote: > Check Point Firewall-1 R55W contains a hard coded web server, which runs on > TCP port 18264. This server is there to deal with PKI requirements for Check > Point's VPN functionality. > > During a routine penetration test of a client, Sec-Tec discovered a > directory traversal vulnerability that allows a potential attacker to > retrieve files from the underlying OS. > > This issue is potentially serious for a number of reasons: > > 1. Check Point's "rule zero" will often by default allow access to this port > for external IP addresses. > > 2. It would currently seem that there are few restrictions as to what files > can be retrieved via this mechanism (Sec-Tec were able to obtain the > underlying OS' account repository). > > Exploit > > The issue can be exploited via a web browser using typical hex encoded > directory traversal strings. > > Affected Version(s): > > Check Point R55W > Check Point R55W HFA1 > Check Point R55W HFA2 > > (Confirmed on Windows 2003 Server platform, other platforms may be > affected.) > > Current Status > > Check Point have confirmed that this issue was corrected in R55W HFA03. > However, Sec-Tec have been unable to find any publicly available references > to this issue, either within Check Point's knowledge base or HFA03 release > notes. This issue was found and fixed a while ago as I just learned from Check Point: This vulnerability was published on BugTraq. It was discovered in the past and fixed. The following sentence was added to Release Notes: .HTTP protocol inspection has been enhanced.. The following versions and later are not vulnerable: NG AI R54 HFA_414 NG AI R55 HFA_12 NG AI R55W HFA_3 NGX R60 NGX R60A NGX R61 VSX NG AI HFA_02 VSX NGX Interspect 2.0 Interspect NGX Connectra 2.0 Connectra NGX R60 Connectra NGX R61 Regards, Hugo. -- I hate duplicates. Just reply to the relevant mailinglist. hvdkooij@xxxxxxxxxxxxxxx http://hvdkooij.xs4all.nl/ Don't meddle in the affairs of magicians, for they are subtle and quick to anger.
