Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

dailydave logo Dailydave mailing list archives

Re: Checkpoint FW-1 buffer overflows
From: "Rodrigo Rubira Branco (BSDaemon)" <rodrigo () kernelhacking com>
Date: Thu, 4 Oct 2007 11:29:32 -0000
Well, it´s interesting, but does not show the true ;)

First of all, the binaries showed are not suid, and for sure, cpshell are a
root process that interfaces with the binaries but they haven´t showed:
- If it drops the privileges
- If it does not handle parameters ;)

Also, when you see the TOE, he showed the phrase where says: "trusted
admins", which means the system has no local protection against intruders.
Also in the TOE is cleaver that the OS itself is not the target for the
tests.

Blergh enought, exec-shield can randomize the binary if it´s PIE, that´s not
the case of this 'customized' redhat... interesting to say, it´s a really
modified redhat, mainly to load the checkpoint kernel module (he said in the
article it´s a default redhat)...

Anyway, it´s a good article for people who want to understand how to exploit
exec-shielded systems ;)


cya,


Rodrigo (BSDaemon).


--
http://www.kernelhacking.com/rodrigo

Kernel Hacking: If i really know, i can hack

GPG KeyID: 1FCEDEA1


--------- Mensagem Original --------
De: Security Admin NetSec <secadmin () netsecdesign com>
Para: dailydave () lists immunitysec com <dailydave () lists immunitysec com>
Assunto: [Dailydave] Checkpoint FW-1 buffer overflows
Data: 04/10/07 10:09



Reference link http://www.pentest.es/checkpoint_hack.pdf

Did not read the entire 219 page report, but from the initial perusing

looks like good work. Begs the question if this is an inhernet issue with
architecture (Checkpoint installed on top of another OS) or if other popular
security products like Juniper Netscreen or Cisco PIX/ASA have similar
issues.


Edward W. Ray
_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave







________________________________________________
Message sent using UebiMiau 2.7.2

_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave

  By Date           By Thread  

Current thread:
  • Checkpoint FW-1 buffer overflows Security Admin (NetSec) (Oct 04)
    • <Possible follow-ups>
    • Re: Checkpoint FW-1 buffer overflows Rodrigo Rubira Branco (BSDaemon) (Oct 04)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]