exploit the possibilities


Posted Nov 14, 2008
Authored by Tim Brown, Mark Lowe | Site portcullis-security.com

Portcullis Security Advisory - By sending crafted packets to ports on the Checkpoint VPN-1 which are mapped by port address translation (PAT) to ports on internal devices, information about the internal network may be disclosed in the resulting ICMP error packets.

tags | advisory
MD5 | 1b7d691c337938227fedd8e13cfb47cd


Change Mirror Download
Portcullis Security Advisory - 08-009

Vulnerable System:

Checkpoint VPN-1

Vulnerability Title:

Checkpoint VPN-1 PAT information disclosure.

Vulnerability Discovery And Development:

Portcullis Security Testing Services.

Credit For Discovery:

Tim Brown and Mark Lowe - Portcullis Computer Security Ltd.

Affected systems:

All known versions of Checkpoint VPN-1; the vulnerability discovered was for version R65.


By sending crafted packets to ports on the Firewall which are mapped by port address translation (PAT) to ports on internal devices, information about the internal network may be disclosed in the resulting ICMP error packets. Port 18264/tcp on the Firewall is typically configured in such a manner, with packets to this port being re-written to reach the Firewall management server. When the time-to-live (TTL) is set low, the Firewall fails to correctly sanitise the encapsulated IP headers in ICMP time-to-live exceeded packets resulting in the internal IP address being disclosed. For example:

The response was elicited by sending a packet (from to port 18264/tcp on the Firewall's interface. The TTL was set low, so the Firewall could not forward it on.

14:56:25.169480 IP (tos 0xe0, ttl 255, id 21407, offset 0, flags [none], proto: ICMP (1), length: 68) > ICMP time exceeded in-transit, length 48
IP (tos 0x0, ttl 1, id 5120, offset 0, flags [none], proto: TCP (6), length: 40) > S, cksum 0x03e6 (correct), 2834356043:2834356043(0) win 512

The destination address on the encapsulated IP packet is the address of the Firewall management server. Note: This can be exploited whether the port is detected as being open or closed by a port scan of the Firewall's interface.


An attacker could use this to determine the internal IP address of the Firewall management server.


The proof of concept exploit code is available as a NASL plugin for OpenVAS.

Vendor Status:

11/09/2008 - Vendor informed via email.
23/09/2008 - Vendor Informed via email.
24/10/2008 - Vendor informed of publication intention


Copyright � Portcullis Computer Security Limited 2008, All rights reserved worldwide.
Permission is hereby granted for the electronic redistribution of this information. It is not to be edited or altered in any way without the express written consent of Portcullis Computer Security Limited.


The information herein contained may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (Portcullis Computer Security Limited) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.


RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

September 2019

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Sep 1st
    1 Files
  • 2
    Sep 2nd
    38 Files
  • 3
    Sep 3rd
    30 Files
  • 4
    Sep 4th
    15 Files
  • 5
    Sep 5th
    12 Files
  • 6
    Sep 6th
    17 Files
  • 7
    Sep 7th
    3 Files
  • 8
    Sep 8th
    1 Files
  • 9
    Sep 9th
    24 Files
  • 10
    Sep 10th
    22 Files
  • 11
    Sep 11th
    22 Files
  • 12
    Sep 12th
    15 Files
  • 13
    Sep 13th
    5 Files
  • 14
    Sep 14th
    2 Files
  • 15
    Sep 15th
    1 Files
  • 16
    Sep 16th
    11 Files
  • 17
    Sep 17th
    16 Files
  • 18
    Sep 18th
    8 Files
  • 19
    Sep 19th
    0 Files
  • 20
    Sep 20th
    0 Files
  • 21
    Sep 21st
    0 Files
  • 22
    Sep 22nd
    0 Files
  • 23
    Sep 23rd
    0 Files
  • 24
    Sep 24th
    0 Files
  • 25
    Sep 25th
    0 Files
  • 26
    Sep 26th
    0 Files
  • 27
    Sep 27th
    0 Files
  • 28
    Sep 28th
    0 Files
  • 29
    Sep 29th
    0 Files
  • 30
    Sep 30th
    0 Files

Top Authors In Last 30 Days

File Tags


packet storm

© 2019 Packet Storm. All rights reserved.

Security Services
Hosting By