Hosting Provided By

RE: Checkpoint FW-1 on Nokia - potential user enumeration bug?

From: <DABDELMO(at)bouyguestelecom.fr>
Date: Thu Jan 09 2003 - 04:27:23 EST

Hi Chris,

Actually it seems to be the opposite. The standard administration account under IPSO is "admin". "fw1adm" is not an account known by IPSO. When I try every account under the /etc/passwd file on IPSO 3.6 or IPSO 3.4.1, if I input the wrong password, I get the "Login incorrect" message just after the first try on the password:

If you enter a non existing account in that file, you get the second prompt for the password:

login: fw1adm
Password:
Password:
Login incorrect
login: hello
Password:
Password:
Login incorrect
login: fzefzeop
Password:
Password:
Login incorrect

I don't think that behaving has been addressed by Nokia. Best Regards

David

-----Message d'origine-----
De: Chris McNab [mailto:chris.mcnab@trustmatta.com] Date: mercredi 8 janvier 2003 01:55
À: pen-test@securityfocus.com
Objet: Checkpoint FW-1 on Nokia - potential user enumeration bug?

Do you need help?

Hey,

I was performing a pentest recently for a client, and found what seems to be a user enumeration bug within Nokia IPSO (unknown as to which version and patchlevel) running Checkpoint FW-1:

pipex-gw>telnet xxx.xxx.xxx.xxx
Trying xxx.xxx.xxx.xxx ... Open

IPSO (checkpointcharlie) (ttyp0)
login: root
Password:
Login incorrect
login: blah
Password:
Login incorrect
login: fw1adm
Password:
Password:
Login incorrect
login: fw1adm
Password:
Password:
Login incorrect
Login timed out after 300 seconds
[Connection to xxx.xxx.xxx.xxx closed by foreign host] pipex-gw>

Obviously the fw1adm user exists, being the standard account under FW-1.. but I was wondering if anyone had seen this before, or even if this issue had been addressed by Nokia?

Thanks,

Chris

Chris McNab
Technical Director

Do you need more help?

Matta Security Limited
18 Noel Street
London W1F 8GN

Tel: 08700 77 11 00

This e-mail was sent from Matta Security Limited. The information contained in this message is confidential, may be privileged, and is intended for the addressee(s) only. If you have received this message in error please notify the originator immediately. The unauthorised use, disclosure, copying or alteration of this message is strictly forbidden. Matta Security Limited does not warrant that any attachments are free from viruses or other defects. Matta Security Limited will not be liable for direct, special, indirect or consequential damages arising from alteration of the contents of this message by a third party or as a result of any virus being passed on.

This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/

This message: [ Message body ]
Next message: Christopher Lyon: "RE: Checkpoint FW-1 on Nokia - potential user enumeration bug?"
Previous message: Dominick Baier: "AW: SQL Vulnerabilty Assesment"
Maybe in reply to: Chris McNab: "Checkpoint FW-1 on Nokia - potential user enumeration bug?"
Next in thread: Pen-Test: "RE: Checkpoint FW-1 on Nokia - potential user enumeration bug?"
Reply: Pen-Test: "RE: Checkpoint FW-1 on Nokia - potential user enumeration bug?"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:02:31 EDT