Tried, Tested and Proven

Security Advisory 08-009 – Checkpoint VPN-1 PAT information disclosure

Vulnerability Title:

Checkpoint VPN-1 PAT information disclosure.

Vulnerable System:

Checkpoint VPN-1

Vulnerability discovery and development:

Portcullis Security Testing Services

Credit for Discovery:

Tim Brown and Mark Lowe – Portcullis Computer Security Ltd.

Affected Systems:

All known versions of Checkpoint VPN-1; the vulnerability discovered was for version R65.

Details:

By sending crafted packets to ports on the Firewall which are mapped by port address translation (PAT) to ports on internal devices, information about the internal network may be disclosed in the resulting ICMP error packets. Port 18264/tcp on the Firewall is typically configured in such a manner, with packets to this port being re-written to reach the Firewall management server. When the time-to-live (TTL) is set low, the Firewall fails to correctly sanitise the encapsulated IP headers in ICMP time-to-live exceeded packets resulting in the internal IP address being disclosed. For example:

The response was elicited by sending a packet (from 194.0.0.1) to port 18264/tcp on the Firewall’s interface. The TTL was set low, so the Firewall could not forward it on.

14:56:25.169480 IP (tos 0xe0, ttl 255, id 21407, offset 0, flags [none], proto: ICMP (1), length: 68) 193.0.0.1 > 194.0.0.1: ICMP time exceeded in-transit, length 48 IP (tos 0x0, ttl 1, id 5120, offset 0, flags [none], proto: TCP (6), length: 40) 194.0.0.1.9003 > 10.0.0.99.18264: S, cksum 0x03e6 (correct), 2834356043:2834356043(0) win 512

The destination address on the encapsulated IP packet is the address of the Firewall management server. Note: This can be exploited whether the port is detected as being open or closed by a port scan of the Firewall’s interface.

Impact:

An attacker could use this to determine the internal IP address of the Firewall management server.

Exploit:

The proof of concept exploit code is available as a NASL plugin for OpenVAS.

Vendor Status:

11/09/2008 – Vendor informed via email.

23/09/2008 – Vendor Informed via email.

24/10/2008 – Vendor informed of publication intention

Copyright:

Copyright © Portcullis Computer Security Limited 2008, All rights reserved worldwide.
Permission is hereby granted for the electronic redistribution of this information. It is not to be edited or altered in any way without the express written consent of Portcullis Computer Security Limited.

Disclaimer:

The information herein contained may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user’s risk. In no event shall the author/distributor (Portcullis Computer Security Limited) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.