[Dailydave] Checkpoint FW-1 buffer overflows

[Rodrigo Rubira Branco (BSDaemon)]

Well, it´s interesting, but does not show the true ;)

First of all, the binaries showed are not suid, and for sure, cpshell are a
root process that interfaces with the binaries but they haven´t showed:
- If it drops the privileges
- If it does not handle parameters ;)

Also, when you see the TOE, he showed the phrase where says: "trusted
admins", which means the system has no local protection against intruders.
Also in the TOE is cleaver that the OS itself is not the target for the
tests.

Blergh enought, exec-shield can randomize the binary if it´s PIE, that´s not
the case of this 'customized' redhat... interesting to say, it´s a really
modified redhat, mainly to load the checkpoint kernel module (he said in the
article it´s a default redhat)...

Anyway, it´s a good article for people who want to understand how to exploit
exec-shielded systems ;)


cya,


Rodrigo (BSDaemon).


--
http://www.kernelhacking.com/rodrigo

Kernel Hacking: If i really know, i can hack

GPG KeyID: 1FCEDEA1


--------- Mensagem Original --------
De: Security Admin NetSec <secadmin at netsecdesign.com>
Para: dailydave at lists.immunitysec.com <dailydave at lists.immunitysec.com>
Assunto: [Dailydave] Checkpoint FW-1 buffer overflows
Data: 04/10/07 10:09

>
> Reference link http://www.pentest.es/checkpoint_hack.pdf
>
> Did not read the entire 219 page report, but from the initial perusing
looks like good work. Begs the question if this is an inhernet issue with
architecture (Checkpoint installed on top of another OS) or if other popular
security products like Juniper Netscreen or Cisco PIX/ASA have similar
issues.
>
> Edward W. Ray
> _______________________________________________
> Dailydave mailing list
> Dailydave at lists.immunitysec.com
> http://lists.immunitysec.com/mailman/listinfo/dailydave
>
>
>
>
>

________________________________________________
Message sent using UebiMiau 2.7.2