Jan 212017
 

Have you ever been frustrated that simple scripting is a problem when doing things on your Check Point firewall? There is a reason why compilers and scripting tools are very limited on such devices. The less options a potential attacker finds to do harm with the better.

As far as I remember from different trainings Check Point uses a GCC compiler to build the policies. But this compiler is said to be stripped down to a large extent.

And there exists Python within GAiA. I would not suggest to use this Python on a gateway, but on a management server it could be very useful.

This is how you start python:

[Expert@cp2205:0]# $FWDIR/Python/bin/python
Python 2.7.3 (default, Jun 27 2012, 14:41:05)
[GCC 3.2.3 20030502 (Red Hat Linux 3.2.3-20)] on linux2
Type "help", "copyright", "credits" or "license" for more information.
Python usage is limited in Check Point security gateway

The last line is true. We will see it in a few moments. Let’s try with a simple script:

[Expert@cp2205:0]# cat test.py
#!/opt/CPsuite-R77/fw1/Python/bin/python
# -*- coding: utf-8 -*-
print("Hello, World!")

We start this script:

[Expert@cp2205:0]# ./test.py
File './test.py' execution is not allowed according to Check Point policy

Oops. Which policy? Where do I define this? With strace you will find a hint to /etc/fw/conf/whitelist. Let’s append our file to this whitelist:

# VER: 20140202
# Python Whitelist
p;$TE_UPDATES_HOME/SA_rules/496149D5-0689-472B-8F50-21DD409F0EC6/${SA_REV}/ole_analyzer/oleanalyzer.pyc
p;$TE_UPDATES_HOME/SA_rules/496149D5-0689-472B-8F50-21DD409F0EC6/${SA_REV}/ole_analyzer/office2007_analyzer.pyc
p;$TE_UPDATES_HOME/SA_rules/496149D5-0689-472B-8F50-21DD409F0EC6/${SA_REV}/pdf_analyzer/pdf_static_analysis.pyc
p;${FWDIR}/scripts/fake_server/FakeServer.pyc
p;$TE_UPDATES_HOME/Raw_Files/A8B5A5DC-4335-47AB-9895-D58BBDFBE2D5/${BINR_REVISION}/binres/msi.fix.pyc
p;$TE_UPDATES_HOME/Raw_Files/A8B5A5DC-4335-47AB-9895-D58BBDFBE2D5/${BINR_REVISION}/binres/rtl.fix.pyc
p;${FWDIR}/teCurrentPack/fake_server/FakeServer.pyc
p;${FWDIR}/scripts/CheckSMTPconnectivity.py
p;/home/admin/test.py

Okay. Next try:

[Expert@cp2205:0]# ./test.py
File './test.py' execution is not allowed according to Check Point policy

That was not really what I expected. Maybe precisely in the same way as in the whitelist?

[Expert@cp2205:0]# /home/admin/test.py
Hello, World!

Voilà! The rest is up to you.

Some last words: Knowing about the existence of /etc/fw/conf/whitelist maybe you will have a look on the contents of this file on your Check Point devices in the future.

  One Response to “Using Python on Check Point Firewalls”

  1. Very nice article!

    The /etc/fw/conf/whitelist file has 2 type of entries: path (the line begins with “p;”) or hash (line begins with “h;”).
    p;
    or
    h;

    Path:
    The path use wordexp() C library call, which is a shell-like expansion of the string (man wordexp). In other words, you can use wildcard characters in the path (in above example: p;/home/admin/*.py). The problem is, just the first match will check (if the /home/admin/ directory contains ‘a.py’ and ‘hello.py’ only the ‘a.py’ allow to execute it, because ‘a.py’ is first match and ‘hello.py’ is the second match (or you can use a full path of the python script without wildcard).

    Hash:
    The hash method uses the SHA1() hash of the python program. It is easy to create sha1() hash of the above example:

    [Expert:]# sha1sum /home/admin/hello.py # or ‘cpopenssl sha1 /home/admin/hello.py’ (why cpopenssl? Why cp? 🙂
    5b3488b47c302c3dfe9195032877dbab13dc4bd4 /home/admin/hello.py

    In this case the whitelist entry is:
    h;5b3488b47c302c3dfe9195032877dbab13dc4bd4

    Just a final note: from R80.30 (maybe R80) no any restriction to execute python script.

Leave a Reply to pls Cancel reply

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

(required)

(required)