|
|
|
|
| |
| By sending crafted packets to ports on the Checkpoint Firewall which are mapped by port address translation (PAT) to ports on internal devices, information about the internal network may be disclosed in the resulting ICMP error packets. |
| |
Credit:
The information has been provided by Tim Brown and Mark Lowe.
The original article can be found at: http://www.portcullis.co.uk/293.php
|
| |
Port 18264/tcp on the Checkpoint Firewall is typically configured in such a manner that it is mapped by the port address translation (PAT), with packets to this port being re-written to reach the Firewall management server. When the time-to-live (TTL) is set low, the Firewall fails to correctly sanitize the encapsulated IP headers in ICMP time-to-live exceeded packets resulting in the internal IP address being disclosed. For example:
The response was elicited by sending a packet (from 194.0.0.1) to port 18264/tcp on the Firewall's interface. The TTL was set low, so the Firewall could not forward it on.
14:56:25.169480 IP (tos 0xe0, ttl 255, id 21407, offset 0, flags [none], proto: ICMP (1), length: 68) 193.0.0.1 > 194.0.0.1: ICMP time exceeded in-transit, length 48
IP (tos 0x0, ttl 1, id 5120, offset 0, flags [none], proto: TCP (6), length: 40) 194.0.0.1.9003 > 10.0.0.99.18264: S, cksum 0x03e6 (correct), 2834356043:2834356043(0) win 512
The destination address on the encapsulated IP packet is the address of the Firewall management server. Note: This can be exploited whether the port is detected as being open or closed by a port scan of the Firewall's interface.
Impact:
An attacker could use this to determine the internal IP address of the Firewall management server.
Vendor Status:
11/09/2008 - Vendor informed via email.
23/09/2008 - Vendor Informed via email.
24/10/2008 - Vendor informed of publication intention
|
|
|
|
|
