Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!

TUCoPS :: Security App Flaws :: bt972.txt

IRM 007: The IP addresses of Check Point Firewall-1 internal interfaces may be enumerated using SecuRemote


IRM Security Advisory No. 007

The IP addresses of Check Point Firewall-1 internal interfaces may be
enumerated using SecuRemote

Vulnerability Type / Importance: Information Leakage / High

Problem discovered: July 25th 2003
Vendor contacted: July 25th 2003
Advisory published: August 22nd 2003



Check Point FireWall-1 versions 4.0 and 4.1 (prior to SP5) were shipped =
a product called SecuRemote which allows mobile users to connect to an
internal network using an encrypted and authenticated session. During =
initial unencrypted phase of communication between SecuRemote and =
a packet is sent containing the all the IP addresses of the firewall,
including those associated with the internal interfaces.


During various recent penetration tests IRM have established that =
IP addresses configured on Check Point Firewall-1 devices appear to leak
from TCP ports 256 and 264.=20

N.B. This is a completely separate issue from the "unauthenticated =
download" problem that has been previously discussed.

If a telnet connection is established with TCP port 256 on Firewall-1
Version 4.0 and 4.1 and the following sequence of characters is typed:


(where <CR> is a carriage return)

The firewall IP addresses are returned (in binary form)

In addition, when using SecuRemote to connect to a firewall on TCP port =
if a packet sniffer is used to capture the data transferred, the IP
addresses can also be viewed as shown below:

15:45:44.029883 > P 5:21(16) ack 17 win =
0x0000 4500 0038 a250 4000 6e06 5b5a ca4d b102       E..8.P@.n.[Z.M..
0x0010 5102 42c3 0108 040e 1769 fb25 cdc0 8a36       Q.B......i.%...6
0x0020 5018 2228 fa32 0000 0000 000c=20
                                     c0a8 0101       P."(.2.......M..
0x0030 c0a8 0a01 c0a8 0e01                           ........

c0a8 0101 =3D
c0a8 0a01 =3D
c0a8 0e01 =3D

Check Point were contacted and confirmed that it was a known issue that =
fixed in version 4.1 service pack 5, however the details about this
information leakage are not present in the service pack documentation. =
IRM identified this issue during a live penetration test, it was decided
that the information should be publicised so that firewall =
could be made aware of it, and the resolution to the problem. A tool
(fwenum) was then produced to demonstrate the technique (available on =
IRM website -

Tested Versions:

Firewall-1/VPN-1 4.0 - vulnerable
Firewall-1/VPN-1 4.1 - vulnerable pre sp5
Firewall-1/VPN-1 NG  - not vulnerable

Tested Operating Systems:

Microsoft Windows NT4
Microsoft Windows 2000

Vendor & Patch Information:

Check Point were contacted on July 25th and promptly responded =
that the issue had been resolved in version 4.1 service pack 5, which =
released on September 13th 2001. Check Point recommends customers to =
current with the latest service packs and versions, as they contain =
enhancements to both publicised and to other issues.


TCP Ports 256 and 264 can be filtered if the SecuRemote service is not


Research & Advisory: Andy Davis=20


All information in this advisory is provided on an 'as is'=20
basis in the hope that it will be useful. Information Risk Management=20
Plc is not responsible for any risks or occurrences caused=20
by the application of this information.


Information Risk Management Plc.
22 Buckingham Gate=20
+44 (0)207 808 6420

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2015 AOH