HTTP Parsing Vulnerabilities in Check Point Firewall-1

src/network-services-pentesting/pentesting-264-check-point-firewall-1.md

@@ -37,12 +37,42 @@ The output from this command provides detailed information regarding the firewal
 CN=Panama,O=MGMTT.srv.rxfrmi
 ```
 
-## References
+## HTTP Security Server Format String Bug (CAN-2004-0039)
 
-- [https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk69360](https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk69360)
-- [https://bitvijays.github.io/LFF-IPS-P2-VulnerabilityAnalysis.html\#check-point-firewall-1-topology-port-264](https://bitvijays.github.io/LFF-IPS-P2-VulnerabilityAnalysis.html#check-point-firewall-1-topology-port-264)
+**Affected builds:** NG FCS, NG FP1, NG FP2, NG FP3 HF2, and NG with Application Intelligence R54/R55.  
+**Requirement:** The HTTP Security Server or AI HTTP proxy must be enabled and transparently inspecting the targeted port; if HTTP inspection is disabled the vulnerable code path is never reached.
 
-{{#include ../banners/hacktricks-training.md}}
+### Triggering the error handler
+
+The proxy rejects malformed HTTP messages and builds its own error page with `sprintf(errbuf, attacker_string);`, letting attacker-controlled bytes act as the format string. Send an invalid request through the firewall and look for a proxy-generated error that reflects your payload:
+
+```bash
+printf 'BOGUS%%08x%%08x%%08x%%n HTTP/1.0\r\nHost: internal.local\r\n\r\n' | nc -nv [FIREWALL_IP] 80
+```
+
+If HTTP inspection is active, the firewall (not the backend server) answers immediately, proving the middlebox parsed and replayed the request line.
+
+### Exploitation
 
+#### Format string primitive
 
+- Force the parser into the error routine (invalid method, URI, or headers).
+- Place attacker-controlled dwords up front so `%x`, `%s`, and `%n` directives treat them as stack arguments.
+- Use `%x/%s` to leak pointers, then `%n/%hn` to write the formatted byte count into chosen addresses, overwriting return pointers, vtables, or heap metadata before hijacking execution with injected shellcode or ROP.
 
+#### Heap overflow primitive
+
+The same unsafe `sprintf()` writes into a fixed-size heap buffer. Mix a long request body with oversized directives (e.g., `%99999x`) so the formatted output overruns the allocation and corrupts adjacent heap structures, letting you forge freelist pointers or function tables that are later dereferenced.
+
+### Impact
+
+Compromise of the proxy grants code execution inside the firewall process (SYSTEM on Windows appliances, root on UNIX), enabling rule manipulation, traffic interception, and pivoting deeper into the management network.
+
+## References
+
+- [https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk69360](https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk69360)
+- [https://bitvijays.github.io/LFF-IPS-P2-VulnerabilityAnalysis.html#check-point-firewall-1-topology-port-264](https://bitvijays.github.io/LFF-IPS-P2-VulnerabilityAnalysis.html#check-point-firewall-1-topology-port-264)
+- [https://www.cisa.gov/news-events/alerts/2004/02/05/http-parsing-vulnerabilities-check-point-firewall-1](https://www.cisa.gov/news-events/alerts/2004/02/05/http-parsing-vulnerabilities-check-point-firewall-1)
+- [http://xforce.iss.net/xforce/alerts/id/162](http://xforce.iss.net/xforce/alerts/id/162)
+
+{{#include ../banners/hacktricks-training.md}}