HTTP Parsing Vulnerabilities in Check Point Firewall-1

[carlospolop]

🤖 Automated Content Update

This PR was automatically generated by the HackTricks News Bot based on a technical blog post.

📝 Source Information

• Blog URL: https://www.cisa.gov/news-events/alerts/2004/02/05/http-parsing-vulnerabilities-check-point-firewall-1
• Blog Title: HTTP Parsing Vulnerabilities in Check Point Firewall-1
• Suggested Section: 👽 Network Services Pentesting -> 264 - Pentesting Check Point FireWall-1

🎯 Content Summary

Scope and affected systems
The alert documents a remotely exploitable HTTP parsing vulnerability in multiple versions of Check Point Firewall-1 that support HTTP-aware inspection components:
- Check Point Firewall-1 NG FCS
- Check Point Firewall-1 NG FP1
- Check Point Firewall-1 NG FP2
- Check Point Firewall-1 NG FP3, HF2
- Check Point Firewall-1 NG with Application Intelligence R54
- Check Point Firewall-1 NG with Application Intelligence R5...

🔧 Technical Details

Exploiting HTTP error-handling format string bugs in application proxies
When an HTTP-aware proxy or firewall constructs error messages using sprintf(), any user-controlled part of an invalid HTTP request that is embedded directly into the format string argument can be abused as a format string vulnerability. An attacker sends a syntactically invalid HTTP request that both triggers the proxy’s error path and includes crafted sequences like %x, %s, and %n in the portion that the device later reflects into the error string. If the vulnerable code executes sprintf(errbuf, attacker_input);, the format directives cause reads and writes to stack/heap memory. By carefully placing %n specifiers, an attacker can overwrite return addresses or function pointers and achieve arbitrary code execution in the security device’s process. This pattern generalizes to any protocol-aware mi...

🤖 Agent Actions

Summary:

• Augmented the Check Point Firewall-1 page with a dedicated section on the HTTP Security Server/Application Intelligence parsing vulnerability (CAN-2004-0039), detailing affected versions, prerequisites, attack surface, and how malformed HTTP requests reach the vulnerable error handler.
• Documented exploitation workflows for both the format-string and heap-overflow primitives, including example payload crafting steps, operational impact, and detection considerations relevant to firewall operators.
• Added concrete mitigation guidance (patching and configuration workarounds) plus new references to the CISA alert and ISS X-Force advisory.

Tests: Not applicable; documentation-only update.

---

This PR was automatically created by the HackTricks Feed Bot. Please review the changes carefully before merging.

[carlospolop]

🔗 Additional Context

Original Blog Post: https://www.cisa.gov/news-events/alerts/2004/02/05/http-parsing-vulnerabilities-check-point-firewall-1

Content Categories: Based on the analysis, this content was categorized under "👽 Network Services Pentesting -> 264 - Pentesting Check Point FireWall-1".

Repository Maintenance:

• MD Files Formatting: 935 files processed

Review Notes:

• This content was automatically processed and may require human review for accuracy
• Check that the placement within the repository structure is appropriate
• Verify that all technical details are correct and up-to-date
• All .md files have been checked for proper formatting (headers, includes, etc.)

Bot Version: HackTricks News Bot v1.0

[carlospolop]

merge