Article by Tom Kopchak
Gaining Access to a Check Point Appliance - Physical Access Trumps All
Recently, one of my co-workers and I were tasked with reconfiguring a Check Point Appliance for use as the main firewall in a lab environment we are building for some internal testing.
Because we both are recent hires (and thus, the low men on the totem pole), we were not given passwords to the devices or any other useful information regarding their previous configuration.
We were expected to learn how to manage the devices, reload the Check Point software, and configure the equipment entirely from scratch.
Unfortunately, the Check Point devices refused to play nicely and cooperate with our mission, instead insisting on throwing fatal exceptions whenever we attempted to reload the software.
With our attempts to reload and configure the devices properly crippled, we were forced to seek an alternative solution. Our minds quickly turned from reinstalling the software to hacking into the password-protected devices instead.
A Check Point appliance is a purpose-built server. It contains a CPU, memory, and hard drive, along with multiple network interfaces and a USB port. Optical media is accessible via a USB drive. Unfortunately, the appliance is lacking one critical feature that would make administration much simpler – a video output.
This is done by design – normally, once the device is configured, there is no reason or need to view the output of the device itself. All of the administration is handled through the web interface or management server application. This, however, was neither a typical nor a normal situation. A lone serial interface would provide our only method of accessing the device.
On any Linux-based system with an unencrypted hard drive, it is possible to completely overtake a system once you have gained physical access.
Instead, they rely on a graphical user interface, which would not work on the hardware we had. But just because something is not easily done does not mean it is not possible.
Some creative thinking, judicious Googling, and an Ubuntu 8.04 Server CD provided the answer. This version of Ubuntu supports installation via a serial console (other versions might work as well, but we had one of these CDs laying around in the lab).
However, the first steps of the installer still expect a video display to be connected, and do not output via the serial console by default. To work around this condition, we connected a USB cable to the appliance, and used the following sequence of keystrokes to (blindly) advance the installation to the point where we could see the serial console output:
1) Enter (for language selection)
2) F6 (for specifying command line installation parameters)
3) Backspace three times (to clear out the end of the installation parameters string)
4) Typing “console=ttyS0,115200n8 -- " (to specify the serial console location and connection settings)
5) Enter (to start the installation process)
A few moments later, low and behold, we were greeted with the initial screen for a new Ubuntu installation displayed in our minicom session. At this point, it was a simple process of dropping into a root shell, mounting the Check Point partition and chrooting into it, and running the passwd command (/usr/bin/passwd) to reset the passwords for the device's administrator accounts. Upon reboot, we had successfully regained full access to the device – no reinstallation required.
There are several lessons to take away from this experience. First and foremost, physical security is paramount when seeking to protect any device or server, including your firewalls. Without physical access, we would not have been able to compromise the device in this manner.
Second, when attempting to gain access to any device, know the underlying technology and its operation. Since the Check Point operating system is based on Linux, we were able to apply the same techniques to attack this device as one would use when seeking to compromise a Linux system.
Finally, when faced with a challenge, don't rule out novel approaches for solving your problems. Your initial plan of attack may result in failure, but failure does not mean that success is unreachable – and you might even learn something new in the process.
Cross-posted from Hurricane Labs