Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

Re: Check Point FW-1 NG FP3 & FP3 HF1: DoS attack against syslog daemon possible
From: "Dr. Peter Bieringer" <pbieringer () aerasec de>
Date: Wed, 26 Mar 2003 19:55:21 +0100

Hi again,

regarding to some statements and personal e-mails to me of
a) which versions are affected
and
)b we have no FP3, but a running "syslog" process
I've doublechecked this here in our lab and can confirm Check Point's advisory "Prior to the release of NG FP3 HF2" for some more cases:

Check Point FW-1 since NG FP3:
------------------------------
The syslog daemon is a dedicated binary "$FWDIR/bin/syslog"
Vulnerable for remote crash (FP3, FP3 HF1)
Vulnerable unfiltered escape sequences (FP3, FP3 HF1, FP3 HF2)


Check Point FW-1 NG up to FP2:
------------------------------
The syslog daemon is included in the "$FWDIR/bin/fw" binary by using "$FWDIR/lib/libfw1.so"
Vulnerable for remote crash (FP2)
Vulnerable unfiltered escape sequences (FP2)

Other NG versions below FP2 currently not tested by us, but regarding to Check Point's advisory they are also vulnerable.

Note: in the process table you will see also "syslog 514 all", a "ghost" program which didn't exist before FP3, but that's only the command line arguments. A dig into /proc/$pid-of/syslog shows, that "fw" is the real executed binary.


Check Point FW-1 4.1:
---------------------
The syslog daemon is included in the "$FWDIR/bin/fw" binary without using any other Check Point specific library.

We currently investigate also here the 2 issues.


Hope this helps.

We've also already updated our advisory:

http://www.aerasec.de/security/advisories/txt/
checkpoint-fw1-ng-fp3-syslog-crash.txt
http://www.aerasec.de/security/advisories/
checkpoint-fw1-ng-fp3-syslog-crash.html


Sorry for causing some confusions.

        Peter
--
Dr. Peter Bieringer                             Phone: +49-8102-895190
AERAsec Network Services and Security GmbH        Fax: +49-8102-895199
Wagenberger Stra├če 1                           Mobile: +49-174-9015046
D-85662 Hohenbrunn                       E-Mail: pbieringer () aerasec de
Germany                                Internet: http://www.aerasec.de

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault