Lucene search
Copyright (C) 2008 Tim Brown and Portcullis Computer Security LtdOPENVAS:136141256231080096HistoryNov 05, 2008 - 12:00 a.m.
Check Point VPN-1 PAT Information Disclosure Vulnerability - Active Check
2008-11-0500:00:00
Copyright (C) 2008 Tim Brown and Portcullis Computer Security Ltd
plugins.openvas.org
145
5 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:N/C:P/I:N/A:N
6.2 Medium
AI Score
Confidence
Low
0.007 Low
EPSS
Percentile
79.8%
Check Point VPN-1 PAT is prone to an information disclosure
vulnerability.
# SPDX-FileCopyrightText: 2008 Tim Brown and Portcullis Computer Security Ltd
# Some text descriptions might be excerpted from (a) referenced
# source(s), and are Copyright (C) by the respective right holder(s).
#
# SPDX-License-Identifier: GPL-2.0-only
if(description)
{
script_oid("1.3.6.1.4.1.25623.1.0.80096");
script_version("2024-06-07T05:05:42+0000");
script_cve_id("CVE-2008-5849");
script_tag(name:"last_modification", value:"2024-06-07 05:05:42 +0000 (Fri, 07 Jun 2024)");
script_tag(name:"creation_date", value:"2008-11-05 16:59:22 +0100 (Wed, 05 Nov 2008)");
script_tag(name:"cvss_base", value:"5.0");
script_tag(name:"cvss_base_vector", value:"AV:N/AC:L/Au:N/C:P/I:N/A:N");
script_name("Check Point VPN-1 PAT Information Disclosure Vulnerability - Active Check");
script_category(ACT_ATTACK); # nb: Could be already seen as an attack
script_family("General");
script_copyright("Copyright (C) 2008 Tim Brown and Portcullis Computer Security Ltd");
script_dependencies("global_settings.nasl");
script_require_ports(18264);
script_exclude_keys("keys/islocalhost", "keys/TARGET_IS_IPV6");
script_xref(name:"URL", value:"https://web.archive.org/web/20110810185306/http://www.portcullis-security.com/293.php");
script_tag(name:"summary", value:"Check Point VPN-1 PAT is prone to an information disclosure
vulnerability.");
script_tag(name:"vuldetect", value:"Sends a crafted TCP request and checks the response.");
script_tag(name:"insight", value:"By sending crafted packets to ports on the firewall which are
mapped by port address translation (PAT) to ports on internal devices, information about the
internal network may be disclosed in the resulting ICMP error packets.
Port 18264/tcp on the firewall is typically configured in such a manner, with packets to this port
being rewritten to reach the firewall management server.
For example, the firewall fails to correctly sanitise the encapsulated IP headers in ICMP
time-to-live exceeded packets resulting in internal IP addresses being disclosed.
False positive:
This could be false positive alert. Try running same scan against single host where this
vulnerability is reported.");
script_tag(name:"solution", value:"We are not aware of a vendor approved solution at the current
time.
On the following platforms, we recommend you mitigate in the described manner:
- Checkpoint VPN-1 R55
- Checkpoint VPN-1 R65
We recommend you mitigate in the following manner:
Disable any implied rules and only open ports for required services Filter outbound ICMP
time-to-live exceeded packets.");
script_tag(name:"solution_type", value:"Mitigation");
script_tag(name:"qod_type", value:"remote_analysis");
exit(0);
}
include("host_details.inc");
if(TARGET_IS_IPV6() || islocalhost())
exit(0);
port = 18264;
if (!get_port_state(port))
exit(0);
if (!soc = open_sock_tcp(port))
exit(0);
close(soc);
function packet_construct(_ip_src, _ip_ttl) {
_ip_id = rand() % 65535;
_th_sport = (rand() % 64000) + 1024;
_ip = forge_ip_packet(ip_v:4, ip_hl:5, ip_tos:0, ip_id:_ip_id, ip_len:20, ip_off:0, ip_p:IPPROTO_TCP, ip_src:_ip_src, ip_ttl:_ip_ttl);
_tcp = forge_tcp_packet(ip:_ip, th_sport:_th_sport, th_dport:18264, th_flags:TH_SYN, th_seq:_ip_ttl, th_ack:0, th_x2:0, th_off:5, th_win:2048, th_urp:0);
return _tcp;
}
function packet_parse(_icmp, _ip_dst, _ttl) {
_ip = get_icmp_element(icmp:_icmp, element:"data");
_ip_p = get_ip_element(ip:_ip, element:"ip_p");
_ip_dst2 = get_ip_element(ip:_ip, element:"ip_dst");
_ip_hl = get_ip_element(ip:_ip, element:"ip_hl");
_tcp = substr(_ip, (_ip_hl * 4), strlen(_ip));
_ih_dport = (ord(_tcp[2]) * 256) + ord(_tcp[3]);
_data = "";
if ((_ip_p == IPPROTO_TCP) && (_ip_dst2 != _ip_dst) && (_ih_dport == 18264)) {
_data = "Internal IP disclosed: " + _ip_dst2 + " (ttl: " +_ttl + ')\n';
set_kb_item(name:"Checkpoint/Manager/ipaddress", value:_ip_dst2);
}
return _data;
}
sourceipaddress = this_host();
destinationipaddress = get_host_ip();
packetfilter = "dst host " + sourceipaddress + " and icmp and (icmp[0]=11)";
reportout = "";
for (ttl = 1; ttl <= 50; ttl++) {
requestpacket = packet_construct(_ip_src:sourceipaddress, _ip_ttl:ttl);
responsepacket = send_packet(requestpacket, pcap_active:TRUE, pcap_filter:packetfilter, pcap_timeout:1);
if (responsepacket) {
reportdata = packet_parse(_icmp:responsepacket, _ip_dst:destinationipaddress, _ttl:ttl);
reportout = reportout + reportdata;
}
}
if (reportout != "") {
reportheading = "Disclosures:";
wholereport = reportheading + reportout;
security_message(port:port, data:wholereport);
exit(0);
}
exit(99);
Related
prion
prion
Code injection
2009-01-06 17:30:00
openvas
openvas
Checkpoint VPN-1 PAT information disclosure
2008-11-05 00:00:00
cvelist
cvelist
CVE-2008-5849
2009-01-06 17:00:00
nvd
nvd
CVE-2008-5849
2009-01-06 17:30:00
seebug
seebug
Checkpoint VPN-1 PATδΏ‘ζ―ζ³ι²ζΌζ΄
2009-01-07 00:00:00
cve
cve
CVE-2008-5849
2009-01-06 17:30:00
checkpoint_security
checkpoint_security
5 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:N/C:P/I:N/A:N
6.2 Medium
AI Score
Confidence
Low
0.007 Low
EPSS
Percentile
79.8%
Related for OPENVAS:136141256231080096