Security Advisory 08-009 – Checkpoint VPN-1 PAT information disclosure
Checkpoint VPN-1 PAT information disclosure.
Vulnerability discovery and development:
Portcullis Security Testing Services
Credit for Discovery:
Tim Brown and Mark Lowe – Portcullis Computer Security Ltd.
All known versions of Checkpoint VPN-1; the vulnerability discovered was for version R65.
By sending crafted packets to ports on the Firewall which are mapped by port address translation (PAT) to ports on internal devices, information about the internal network may be disclosed in the resulting ICMP error packets. Port 18264/tcp on the Firewall is typically configured in such a manner, with packets to this port being re-written to reach the Firewall management server. When the time-to-live (TTL) is set low, the Firewall fails to correctly sanitise the encapsulated IP headers in ICMP time-to-live exceeded packets resulting in the internal IP address being disclosed. For example:
The response was elicited by sending a packet (from 220.127.116.11) to port 18264/tcp on the Firewall’s interface. The TTL was set low, so the Firewall could not forward it on.
14:56:25.169480 IP (tos 0xe0, ttl 255, id 21407, offset 0, flags [none], proto: ICMP (1), length: 68) 18.104.22.168 > 22.214.171.124: ICMP time exceeded in-transit, length 48 IP (tos 0x0, ttl 1, id 5120, offset 0, flags [none], proto: TCP (6), length: 40) 126.96.36.199.9003 > 10.0.0.99.18264: S, cksum 0x03e6 (correct), 2834356043:2834356043(0) win 512
The destination address on the encapsulated IP packet is the address of the Firewall management server. Note: This can be exploited whether the port is detected as being open or closed by a port scan of the Firewall’s interface.
An attacker could use this to determine the internal IP address of the Firewall management server.
The proof of concept exploit code is available as a NASL plugin for OpenVAS.
11/09/2008 – Vendor informed via email.
23/09/2008 – Vendor Informed via email.
24/10/2008 – Vendor informed of publication intention
Permission is hereby granted for the electronic redistribution of this information. It is not to be edited or altered in any way without the express written consent of Portcullis Computer Security Limited.