SecuriTeam - Checkpoint VPN-1 PAT Information Disclosure(情報元のブックマーク数)

ChecopointのVPN-1のport address translationで一部情報が見えてしまう問題があるそうです。

VPN-1ってTCP/18264でPort Address Translationを行っているんですね。

Port 18264/tcp on the Checkpoint Firewall is typically configured in such a manner that it is mapped by the port address translation (PAT), with packets to this port being re-written to reach the Firewall management server. When the time-to-live (TTL) is set low, the Firewall fails to correctly sanitize the encapsulated IP headers in ICMP time-to-live exceeded packets resulting in the internal IP address being disclosed. For example:

The response was elicited by sending a packet (from 194.0.0.1) to port 18264/tcp on the Firewall's interface. The TTL was set low, so the Firewall could not forward it on.

14:56:25.169480 IP (tos 0xe0, ttl 255, id 21407, offset 0, flags [none], proto: ICMP (1), length: 68) 193.0.0.1 > 194.0.0.1: ICMP time exceeded in-transit, length 48
IP (tos 0x0, ttl 1, id 5120, offset 0, flags [none], proto: TCP (6), length: 40) 194.0.0.1.9003 > 10.0.0.99.18264: S, cksum 0x03e6 (correct), 2834356043:2834356043(0) win 512

The destination address on the encapsulated IP packet is the address of the Firewall management server. Note: This can be exploited whether the port is detected as being open or closed by a port scan of the Firewall's interface.

Checkpoint VPN-1 PAT Information Disclosure

screenshot