RE: Checkpoint FW-1 on Nokia - potential user enumeration bug?

From: Rob Lindenbusch (lfcrob@nicusa.com)
Date: Thu Jan 09 2003 - 09:11:28 EST

• Next message: Martin Eiszner: "Re: PerlModule Apache::AuthDBI"
• Previous message: crazytrain.com: "Re: SQL Vulnerabilty Assesment"
• In reply to: Chris McNab: "Checkpoint FW-1 on Nokia - potential user enumeration bug?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

I have recently seen a "similar" behavior with SecureRemote under FW-1 4.1

Users attempting to authenticate to the VPN get an "unknown user" error if
the account does not exist and an "authentication failure" message if the
user does exist but the password is incorrect. This was tested on a Nokia,
but I would assume it is a FW-1 issue not confined to those boxes.

Rob

-----Original Message-----
From: Chris McNab [mailto:chris.mcnab@trustmatta.com]
Sent: Tuesday, January 07, 2003 7:55 PM
To: pen-test@securityfocus.com
Subject: Checkpoint FW-1 on Nokia - potential user enumeration bug?

Hey,

I was performing a pentest recently for a client, and found what seems to be
a user enumeration bug within Nokia IPSO (unknown as to which version and
patchlevel) running Checkpoint FW-1:

pipex-gw>telnet xxx.xxx.xxx.xxx
Trying xxx.xxx.xxx.xxx ... Open
   IPSO (checkpointcharlie) (ttyp0)
login: root
Password:
Login incorrect
login: blah
Password:
Login incorrect
login: fw1adm
Password:
Password:
Login incorrect
login: fw1adm
Password:
Password:
Login incorrect
Login timed out after 300 seconds
[Connection to xxx.xxx.xxx.xxx closed by foreign host]
pipex-gw>

Obviously the fw1adm user exists, being the standard account under FW-1..
but I was wondering if anyone had seen this before, or even if this issue
had been addressed by Nokia?

Thanks,

Chris

Chris McNab
Technical Director

Matta Security Limited
18 Noel Street
London W1F 8GN

Tel: 08700 77 11 00

This e-mail was sent from Matta Security Limited. The information contained
in this message is confidential, may be privileged, and is intended for the
addressee(s) only. If you have received this message in error please notify
the originator immediately. The unauthorised use, disclosure, copying or
alteration of this message is strictly forbidden. Matta Security Limited
does not warrant that any attachments are free from viruses or other
defects. Matta Security Limited will not be liable for direct, special,
indirect or consequential damages arising from alteration of the contents of
this message by a third party or as a result of any virus being passed on.

----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/

----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/

• Next message: Martin Eiszner: "Re: PerlModule Apache::AuthDBI"
• Previous message: crazytrain.com: "Re: SQL Vulnerabilty Assesment"
• In reply to: Chris McNab: "Checkpoint FW-1 on Nokia - potential user enumeration bug?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:26 EDT