MegaHz Security Advisory
19/03/2004

Check Point SmartDashboard Buffer Overflow



Summary
===================

	The Check Point Smartview Tracker which is the log viewer for Check
Point Firewall-1 	is suffering from buffer overflow vulnerabilities to
various of its fields.

Systems Affected
===================

	This vulnerability exists in Check Point NG AI R54/R55
	And maybe other versions too.


Details
===================

The vulnerability:
	Open Check Point Smartview Tracker, and construct a filter on any
column. 
	Filter that column by a 30000 (character size) string. 
	When you add that filter and the Tracker starts to filter the logs it
stops and 		popups a message "Server is disconnected!"
	When you click on OK then all the open Check Point management gui
(SmartDashboard, 		Smartview Tracker, Smartview Monitor etc) are
automatically close.
	If you have made any changes on your firewall policy then it popups
another message 		that no changes will be saved.

What was not checked:
	The case in which more than one Smartview Tracker windows 			are open
on different machines and connected on the same Smartcenter and one of
them 	exploits this vulnerability. Are all the clients going to be
disconnected.
	
	The details collumn also suffers from this vulnerability. What about if
some one is 	exploiting a webserver using a manual 30000 character http
address request. The 		smartdefense of the firewall will block it (as
normal long request). But what is 	going to show in the details collumn?
If it shows the whole string is it going to 	show it? or disconnect you
every time you will try to view it? (This is an extreme 		scenario but
probably could happen)
	

Solution
===================

    The vendor has been informed.







===================
===================

	Discovered by: Andreas Constantinides (MegaHz)
	My email: megahz@megahz.org 
	My web page: www.megahz.org