Essentially, Checkpoint implemented a couple remote authentication
protocols that didn't exactly work. One protocol operated by having the
server hash a random number with some shared secret password, and then send
both that random number and the hashed combination to the client. The idea
was that the client would recognize its own shared secret password in what
the server sent and thus authenticate the server. Then the client would
just create a new random number, hash that with the password, and send both
on the way to the server to authenticate the client.
On its face, it seems a pretty decent if simple authentication scheme.
Unfortunately:
The server wants from the client:
A random number, and that number hashed with the password.
The server sends the client:
A random number, and that number hashed with the password.
So, if you're an attacker who wanted Admin access on a Firewall-1
system, all you had to was reflect the exact key material the firewall sent
you(random+hash) right on back to it(random+hash). There was another
variant that was broken at Black Hat as well; CheckPoint had tried to update
their system by XORing your random number with their random number, so if
you tried to use the same value the secrets woudn't match. Problem was, the
attacker could just set their random number to 0 to defeat the system--0
XOR'ed with any number is that number, so the attacker would just reflect
the original hashed combination(number+password) with a random number of
0(which would be XORed into the number from the hashed combination) to gain
access..
There's an old saying that no security is better than bad security--at least
with no security, you know there's no security and you act accordingly.
With bad security, you act as if everything is safe and protected, whereas
you're just as vulnerable as ever--probably even more so, since you're using
a system that you might otherwise avoid.
=============================================================================
"inet-admins" Internet access mailing list. Maintained by East Connection ISP.
Mail "unsubscribe inet-admins" to Majordomo@info.east.ru if you want to quit.
Archive is accessible on http://info.east.ru/rus/inetadm.html