Jan 212017
 

Have you ever been frustrated that simple scripting is a problem when doing things on your Check Point firewall? There is a reason why compilers and scripting tools are very limited on such devices. The less options a potential attacker finds to do harm with the better.

As far as I remember from different trainings Check Point uses a GCC compiler to build the policies. But this compiler is said to be stripped down to a large extent.

And there exists Python within GAiA. I would not suggest to use this Python on a gateway, but on a management server it could be very useful.

This is how you start python:

[Expert@cp2205:0]# $FWDIR/Python/bin/python
Python 2.7.3 (default, Jun 27 2012, 14:41:05)
[GCC 3.2.3 20030502 (Red Hat Linux 3.2.3-20)] on linux2
Type "help", "copyright", "credits" or "license" for more information.
Python usage is limited in Check Point security gateway

The last line is true. We will see it in a few moments. Let’s try with a simple script:

[Expert@cp2205:0]# cat test.py
#!/opt/CPsuite-R77/fw1/Python/bin/python
# -*- coding: utf-8 -*-
print("Hello, World!")

We start this script:

[Expert@cp2205:0]# ./test.py
File './test.py' execution is not allowed according to Check Point policy

Oops. Which policy? Where do I define this? With strace you will find a hint to /etc/fw/conf/whitelist. Let’s append our file to this whitelist:

# VER: 20140202
# Python Whitelist
p;$TE_UPDATES_HOME/SA_rules/496149D5-0689-472B-8F50-21DD409F0EC6/${SA_REV}/ole_analyzer/oleanalyzer.pyc
p;$TE_UPDATES_HOME/SA_rules/496149D5-0689-472B-8F50-21DD409F0EC6/${SA_REV}/ole_analyzer/office2007_analyzer.pyc
p;$TE_UPDATES_HOME/SA_rules/496149D5-0689-472B-8F50-21DD409F0EC6/${SA_REV}/pdf_analyzer/pdf_static_analysis.pyc
p;${FWDIR}/scripts/fake_server/FakeServer.pyc
p;$TE_UPDATES_HOME/Raw_Files/A8B5A5DC-4335-47AB-9895-D58BBDFBE2D5/${BINR_REVISION}/binres/msi.fix.pyc
p;$TE_UPDATES_HOME/Raw_Files/A8B5A5DC-4335-47AB-9895-D58BBDFBE2D5/${BINR_REVISION}/binres/rtl.fix.pyc
p;${FWDIR}/teCurrentPack/fake_server/FakeServer.pyc
p;${FWDIR}/scripts/CheckSMTPconnectivity.py
p;/home/admin/test.py

Okay. Next try:

[Expert@cp2205:0]# ./test.py
File './test.py' execution is not allowed according to Check Point policy

That was not really what I expected. Maybe precisely in the same way as in the whitelist?

[Expert@cp2205:0]# /home/admin/test.py
Hello, World!

Voilà! The rest is up to you.

Some last words: Knowing about the existence of /etc/fw/conf/whitelist maybe you will have a look on the contents of this file on your Check Point devices in the future.

 Leave a Reply

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

(required)

(required)