COMMAND

    FW-1

SYSTEMS AFFECTED

    Firewall-1 Session Agent 4.1

PROBLEM

    Gregory Duchemin found following.  After the great revelations  at
    the Las  Vegas black  hat about  many security  vulnerabilities in
    FW-1, Gregory  was looking  at this  little module  he uses in his
    compagny and called "authentication session  agent".   He uses  it
    all  over  the  corporate  network  to allow only some priviledged
    users to go into Internet.

    This agent is installed on the  windows 9.x NT box et just  listen
    the 261 port for a connexion from a firewall module.  When a  user
    wish to surf on the web  or to use any other outside  service, the
    firewall intercept the request  and three handschack the  agent to
    get some authentication informations: user + pass

    There are at least two vulnerabilities in the agent:

    1- Denial of service, when a connexion is already established with
       the agent,  no connexion  can be  carried anymore  leading in a
       denial of service and, if  one day some malicious users  decide
       to type something like:

        #telnet target 261

       User of the target couldn't be able to get the requester asking
       him for  his password....too  bad...no more  authentication, no
       more outside connection.

    2- more  seriously,  for  compatibility  reason  the agent show  a
       checkbox  that  permit  our  user  to  send  his  password in a
       cleartext way because firewall modules 4.0 and below don't know
       how to  do encryption.   It's not  only possible  to sniff this
       password on the  network segment but  much interresting, it  's
       really  trivial  to  ask  the  user  agent for giving it to us.
       Example:

        #nc target 261

        220 FW-1 fake session authentication
        331 User:
        -> he answer with his username
        331 *FireWall-1 p4ssw0rd pleazzz:
        -> if he's an idiot, he 'll take that for a real fw prompt and u 'll get
        back his password else just change the message ;)
        200 User has now a clone, c3rb3r
        230 OK

       Note that this exploit is  interactive, when u send 331  User:,
       it appears straight away on  the victim screen and so  u should
       have to wait for his answer.  It's even possible to use session
       agent like  a funny  chat with  a checkpoint  logo on the right
       top...

    The  weakness  is  yet  actual  when  using session agent 4.1 with
    "allow  clear  passwords"  option  checked (typically for backward
    compatibility mode with 4.0 inspection  module and below).  An  IP
    wrapper is coded into the agent and then when another ip source is
    catched, user is  prompted to accept  or reject the  request, most
    users  will  certainly  accept  and  if  they  don't, it should be
    trivial  to  spoof  firewall  ip  on  the  corporate LAN even in a
    switched environment with arp game or icmp redirect.  If the  "Any
    ip adress" is checked, things are worse.

    A malicious user inside an  internal network could be able  to use
    a nmap like scanner  that will look for  every open port 261  over
    the LAN and use Andrew Danforth's perl script to exploit the flaw.
    Spoofing an authorized user  ip and using its  login/password, our
    intruder should  be almost  invisible in  fw logs  while accessing
    restricted  services  every  versions  of  agent  are  vulnerables
    (3.0 -> 4.1 ) on win 9.x and NT.

SOLUTION

    For  the  DOS,  wait  for  checkpoint  reply  but for the password
    weakness always use encryption (if you have a firewall module  4.1
    naturally )  and use  IP wrapper  incorporated into  the agent but
    not effective by default.