Pentesting Old unsupported Firewall Appliances

From: Harold Castro (b0ydaem0n@yahoo.com)
Date: Mon Jun 11 2007 - 04:56:00 EDT


Hi,

I'm new in pen testing.
Recently, I came across this firewall appliance
running Apache/1.3.26
(Unix) mod_dtcl mod_ssl/2.8.10 OpenSSL/0.9.7 during an
external pentest.

The nmap output on OS fingerprinting and service
detection looks like:

Running (JUST GUESSING) : Nokia IPSO (98%), Checkpoint
IPSO (90%) OS fingerprint not ideal because: Missing a
closed TCP port so results incomplete Aggressive OS
guesses: Nokia IP650 firewall appliance (runs IPSO 4.0

and CheckPoint Firewall-1/VPN-1 software) (98%), Nokia
IPSO 4.1Build19 firewall (94%), Checkpoint VPN-1
running IPSO 4.1 (90%)

According to nessus and nikto scans, the apache and
mod_ssl running on this particular host has several
high risk vulnerabilities.

Now the next thing on my mind is to find out if those
applications are really exploitable. The problem is,
I'm not sure how to go about it.

Here's what's on my mind.

1. First, find out what is the firmware version of
that machine.
2. Then find out if the apache version on that
particular firmware really had a security issues
confirmed by the manufacturer and if there
were any patches provided to address such issues. For
this, I have to obtain the CHANGES logs, patches
documentations etc. But the problem is
this is not like an open source thing where you have
access to everything.

This creates a problem. How do you go about it??
Should I just mention in the report that, "this
particular host contains several high risk
vulnerabilities and poses a significant risk. However,
if you have applied the patches or did a firmware
upgrade then you don't have to worry anymore."

And one more thing, if their appliance is no longer
supported by the manufacturer, do you give a
replacement suggestion in your report?

Since I'm doing an external black box pentest, I have
to rely on some tools for OS fingerprinting. Nmap
guesses it to be either Nokia IPSO 4.0 or 4.1Build19.
Now I tried googling for that particular appliance
(IP650) and I found out that the appliance is too old
as its existence dates back as early as 1999. I'm
having a hard time trying to find anything
that can be useful for this

If all else fails, do you tell the customer that it is
safe to ignore those warnings and vulnerabilities
because you, on a hacker's perspective, was not able
to penetrate the network by making use of those
vulnerabilities found, that the hacker might have a
hard time as well and eventually opt for another
target?

That's all for now.
Thanks.

       
---------------------------------
Take the Internet to Go: Yahoo!Go puts the Internet in
your pocket:
mail, news, photos & more.
--0-999917851-1181551773=:31164
Content-Type: text/html; charset=iso-8859-1
Content-Transfer-Encoding: 8bit

Hi,<br><br>I'm new in pen testing.<br>Recently, I came
across this
firewall appliance running Apache/1.3.26 (Unix)
mod_dtcl mod_ssl/2.8.10
OpenSSL/0.9.7 during an external pentest.<br><br>The
nmap output on OS
fingerprinting and service detection looks
like:<br><br>Running (JUST
GUESSING) : Nokia IPSO (98%), Checkpoint IPSO
(90%)<br>OS fingerprint not
ideal because: Missing a closed TCP port so results
incomplete<br>Aggressive OS guesses: Nokia IP650
firewall appliance (runs IPSO 4.0 and
CheckPoint Firewall-1/VPN-1 software) (98%), Nokia
IPSO 4.1Build19 firewall
(94%), Checkpoint VPN-1 running IPSO 4.1
(90%)<br><br>According to
nessus and nikto scans, the apache and mod_ssl running
on this particular
host has several high risk vulnerabilities.
<br><br>Now the next thing
on my mind is to find out if those applications are
really exploitable.
The problem is, I'm not sure how to go about
it.<br><br>Here's what's
on my mind.<br><br>1. First, find out what is the
firmware
 version of that machine.<br>2. Then find out if the
apache version on
that particular firmware really had a security issues
confirmed by the
manufacturer and if there were any patches provided to
address such
issues. For this, I have to obtain the CHANGES logs,
patches
documentations etc. But the problem is this is not
like an open source thing where
you have access to everything. <br><br>This creates a
problem. How do
you go about it?? Should I just mention in the report
that, "this
particular host contains several high risk
vulnerabilities and poses a
significant risk. However, if you have applied the
patches or did a firmware
upgrade then you don't have to worry anymore."
<br><br>And one more
thing, if their appliance is no longer supported by
the manufacturer, do
you give a replacement suggestion in your
report?<br><br>Since I'm doing
an external black box pentest, I have to rely on some
tools for OS
fingerprinting. Nmap guesses it to be either Nokia
IPSO 4.0 or
 4.1Build19. Now I tried googling for that particular
appliance (IP650)
and I found out that the appliance is too old as its
existence dates
back as early as 1999. I'm having a hard time trying
to find anything
that can be useful for this<br><br>If all else fails,
do you just select
another target? What if this is the only host that has
security holes
and warnings as seen by nessus or any other
vulnerability scanning tool?
Do you tell the customer that it is safe to ignore
those warnings
because you, on a hacker's perspective, was not able
to penetrate the
network by making use of those vulnerabilities found,
that the hacker might
have a hard time as well.

That's all for now.
Thanks

       
____________________________________________________________________________________
Building a website is a piece of cake. Yahoo! Small Business gives you all the tools to get online.
http://smallbusiness.yahoo.com/webhosting

------------------------------------------------------------------------
This List Sponsored by: Cenzic

Are you using SPI, Watchfire or WhiteHat?
Consider getting clear vision with Cenzic
See HOW Now with our 20/20 program!

http://www.cenzic.com/c/2020
------------------------------------------------------------------------



This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:57:52 EDT