RE: Checkpoint FW-1 on Nokia - potential user enumeration bug?

From: Pen-Test (Pen-Test@graycypher.com)
Date: Fri Jan 10 2003 - 17:52:12 EST

• Next message: Dominick Baier: "AW: MS Terminal Services open to the world"
• Previous message: Don Voss: "Re: MS Terminal Services open to the world"
• In reply to: DABDELMO@bouyguestelecom.fr: "RE: Checkpoint FW-1 on Nokia - potential user enumeration bug?"
• Next in thread: Christopher Lyon: "RE: Checkpoint FW-1 on Nokia - potential user enumeration bug?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

I've was able to reproduce the error on IPSO 3.5 FCS10 from the console.
If you are doing penetration testing, the first thing that should be
addressed is telnet access. Starting with IPSO 3.4.x, SSH 1 and 2 are
build into the OS and are a much better alternative to telnet.

The issue that you seen is related more to the telnet service than to an
issue with IPSO. Remember that IPSO is old school BSD and much of the
core OS (kernel level stuff) has not been updated in some time.

Here are my results:
=======================================================
deacon[admin]# uname -a
IPSO deacon 3.5-FCS10 releng 1041 08.26.2002-202900 i386

IPSO (deacon) (ttyd0)

login: foo
Password:
Jan 10 22:24:39 deacon [LOG_ALERT] PAM_unix[3116]: check pass; user
unknown
Jan 10 22:24:39 deacon [LOG_NOTICE] PAM_unix[3116]: authentication
failure; root
(uid=0) -> foo for login service
Jan 10 22:24:41 deacon [LOG_ERR] PAM_unix[3116]: auth_pam:
Authentication service cannot retrieve authentication info.
Password:
Login incorrect
login: admin
Password:
Jan 10 22:24:59 deacon [LOG_NOTICE] PAM_unix[3116]: authentication
failure; root
(uid=0) -> admin for login service
Login incorrect
login:
=======================================================

I would recommend:
Upgrade IPSO and CheckPoint to the latest version. I like IPSO 3.5
FCS10 and CheckPoint NG Firewall-1/VPN-1 FP3 Hot fix 1

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
REMEMBER: Backup your config BEFORE trying any of these steps below... I
"can't"/"won't"/"don't want to" be held accountable if you break your
firewall! Use the help buttons if you get stuck.
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

>From voyager, select config/Network Access and Services
Disable FTP, TFTP, TELNET, Allow com2 login, Allow com3 login
Disable echo, discard, chargen, daytime and time

>From voyager, select config/Secure Shell (SSH)
Enable SSH
Set protocol Version to 2 only (Both 1 and 2 is okay if you need it, but
if not only use 2)
The rest of the defaults are okay.
Generate new keys.

>From voyager, select config/Voyager Web Access
Select Configure SSL Certificate
Select Generate a new private key and certificate signing request
Select 1024 if possible
Enter a password for the cert
Enter your country code (i.e. US)
Enter your state or province name
Enter your town
Enter your Organization Name
Enter your OU Name
Enter your FQDN
Enter your email address (contact info for the cert)
Generate a self-signed x.509 Cert
Copy the info that appears to notepad
Go to the Voyager SSL certificate page.
Paste the info into the new Server Cert field
Paste the info into the Associated private key field
Enter the password you selected
Verify the information and apply the config
>From voyager, select config/Voyager Web Access
Select 3DES if possible.
Apply
Your browser will crap out here. Change the URL to HTTPS and login.
Make sure you save your changes.

After you apply/save the above changes, you will only be able to access
the Nokia via:
Console
SSH 2
HTTPS

This should bring you one step close to a more secure firewall

-----Original Message-----
From: DABDELMO@bouyguestelecom.fr [mailto:DABDELMO@bouyguestelecom.fr]
Sent: Thursday, January 09, 2003 4:27 AM
To: chris.mcnab@trustmatta.com; pen-test@securityfocus.com
Subject: RE: Checkpoint FW-1 on Nokia - potential user enumeration bug?

Hi Chris,

Actually it seems to be the opposite. The standard administration
account under IPSO is "admin". "fw1adm" is not an account known by IPSO.
When I try every account under the /etc/passwd file on IPSO 3.6 or IPSO
3.4.1, if I input the wrong password, I get the "Login incorrect"
message just after the first try on the password:

login: admin
Password:
Login incorrect
login: root
Password:
Login incorrect
login: daemon
Password:
Login incorrect

If you enter a non existing account in that file, you get the second
prompt for the password:

login: fw1adm
Password:
Password:
Login incorrect
login: hello
Password:
Password:
Login incorrect
login: fzefzeop
Password:
Password:
Login incorrect

I don't think that behaving has been addressed by Nokia.
Best Regards

David

-----Message d'origine-----
De: Chris McNab [mailto:chris.mcnab@trustmatta.com]
Date: mercredi 8 janvier 2003 01:55
À: pen-test@securityfocus.com
Objet: Checkpoint FW-1 on Nokia - potential user enumeration bug?

Hey,

I was performing a pentest recently for a client, and found what seems
to be a user enumeration bug within Nokia IPSO (unknown as to which
version and
patchlevel) running Checkpoint FW-1:

pipex-gw>telnet xxx.xxx.xxx.xxx
Trying xxx.xxx.xxx.xxx ... Open
   IPSO (checkpointcharlie) (ttyp0)
login: root
Password:
Login incorrect
login: blah
Password:
Login incorrect
login: fw1adm
Password:
Password:
Login incorrect
login: fw1adm
Password:
Password:
Login incorrect
Login timed out after 300 seconds
[Connection to xxx.xxx.xxx.xxx closed by foreign host]
pipex-gw>

Obviously the fw1adm user exists, being the standard account under
FW-1.. but I was wondering if anyone had seen this before, or even if
this issue had been addressed by Nokia?

Thanks,

Chris

Chris McNab
Technical Director

Matta Security Limited
18 Noel Street
London W1F 8GN

Tel: 08700 77 11 00

This e-mail was sent from Matta Security Limited. The information
contained in this message is confidential, may be privileged, and is
intended for the
addressee(s) only. If you have received this message in error please
notify the originator immediately. The unauthorised use, disclosure,
copying or alteration of this message is strictly forbidden. Matta
Security Limited does not warrant that any attachments are free from
viruses or other defects. Matta Security Limited will not be liable for
direct, special, indirect or consequential damages arising from
alteration of the contents of this message by a third party or as a
result of any virus being passed on.

------------------------------------------------------------------------

----
This list is provided by the SecurityFocus Security Intelligence Alert
(SIA) Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please
see: https://alerts.securityfocus.com/
------------------------------------------------------------------------
----
This list is provided by the SecurityFocus Security Intelligence Alert
(SIA) Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please
see: https://alerts.securityfocus.com/
----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/

• Next message: Dominick Baier: "AW: MS Terminal Services open to the world"
• Previous message: Don Voss: "Re: MS Terminal Services open to the world"
• In reply to: DABDELMO@bouyguestelecom.fr: "RE: Checkpoint FW-1 on Nokia - potential user enumeration bug?"
• Next in thread: Christopher Lyon: "RE: Checkpoint FW-1 on Nokia - potential user enumeration bug?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:26 EDT