Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Bugtraq
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Check Point R55W Directory Traversal

from [Sec-Tec Lists] Network Security [Permanent Link]
Subject: Check Point R55W Directory Traversal
Date: Mon, 24 Jul 2006 17:33:24 +0100 
Overview

Check Point Firewall-1 R55W contains a hard coded web server, which runs on
TCP port 18264. This server is there to deal with PKI requirements for Check
Point's VPN functionality.

During a routine penetration test of a client, Sec-Tec discovered a
directory traversal vulnerability that allows a potential attacker to
retrieve files from the underlying OS.

This issue is potentially serious for a number of reasons:

1. Check Point's "rule zero" will often by default allow access to this port
for external IP addresses.

2. It would currently seem that there are few restrictions as to what files
can be retrieved via this mechanism (Sec-Tec were able to obtain the
underlying OS' account repository).

Exploit

The issue can be exploited via a web browser using typical hex encoded
directory traversal strings.

Affected Version(s):

Check Point R55W
Check Point R55W HFA1
Check Point R55W HFA2

(Confirmed on Windows 2003 Server platform, other platforms may be
affected.)

Current Status

Check Point have confirmed that this issue was corrected in R55W HFA03.
However, Sec-Tec have been unable to find any publicly available references
to this issue, either within Check Point's knowledge base or HFA03 release
notes.

Updates to this issue will be found at:
http://www.sec-tec.co.uk/vulnerability/r55w_directory_traversal.html


Pete Foster
Senior Consultant
Sec-Tec Ltd
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [ GLSA 200607-08 ] GIMP: Buffer overflow, Michael Shigorin
Next by Date:  [Full-disclosure] ERRATA: [ GLSA 200607-08 ] GIMP: Buffer overflow, Sune Kloppenborg Jeppesen
Previous by Thread:  PHP Live! v3.2 (header.php) Remote File Include Vulnerabilities, saudi . unix
Next by Thread:  Re: Check Point R55W Directory Traversal, Hugo van der Kooij
Indexes:  [Date] [Thread] [Top] [All Lists]