VAR-200109-0013
Vulnerability from variot - Updated: 2025-04-03 20:42Check Point FireWall-1 3.0b through 4.1 for Solaris allows local users to overwrite arbitrary files via a symlink attack on temporary policy files that end in a .cpp extension, which are set world-writable. Check Point Firewall-1 is a commercial firewall implementation designed for small to enterprise sized networks. A problem with Firewall-1 has been discovered that makes it possible for a local user to change the permissions of root-owned files to world-writable, and potentially gain elevated privileges. The problem is in the creation of predictable /tmp files. Upon editing firewall rules and committing them, a file is created in /tmp using the name of the policy as a filename, and .cpp as an extension. It's possible for a local user to create symbolic links to root-owned files, which will result in the files becoming world-writable, and potentially gain local root access. The file's attributes are set to rw-rw-rw- (666), which allows anyone to modify the file. Since the file is not checked whether it is a link file when the file is created, an attacker can create a file in any directory through a link attack. If an attacker has permission to compile firewall policies and has access to the system where the firewall resides, this vulnerability could be exploited to elevate privileges
Show details on source website{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"configurations": {
"@id": "https://www.variotdbs.pl/ref/configurations"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-200109-0013",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "firewall-1",
"scope": "eq",
"trust": 1.6,
"vendor": "checkpoint",
"version": "4.0"
},
{
"model": "firewall-1",
"scope": "eq",
"trust": 1.6,
"vendor": "checkpoint",
"version": "3.0"
},
{
"model": "firewall-1",
"scope": "eq",
"trust": 1.6,
"vendor": "checkpoint",
"version": "4.1"
},
{
"model": "point software firewall-1 sp1",
"scope": "eq",
"trust": 0.3,
"vendor": "check",
"version": "4.1"
},
{
"model": "point software firewall-1",
"scope": "eq",
"trust": 0.3,
"vendor": "check",
"version": "4.1"
},
{
"model": "point software firewall-1",
"scope": "eq",
"trust": 0.3,
"vendor": "check",
"version": "4.0"
},
{
"model": "point software firewall-1",
"scope": "eq",
"trust": 0.3,
"vendor": "check",
"version": "3.0"
},
{
"model": "point software firewall-1 sp4",
"scope": "ne",
"trust": 0.3,
"vendor": "check",
"version": "4.1"
},
{
"model": "point software firewall-1 sp3",
"scope": "ne",
"trust": 0.3,
"vendor": "check",
"version": "4.1"
},
{
"model": "point software firewall-1 sp2",
"scope": "ne",
"trust": 0.3,
"vendor": "check",
"version": "4.1"
}
],
"sources": [
{
"db": "BID",
"id": "3300"
},
{
"db": "CNNVD",
"id": "CNNVD-200109-022"
},
{
"db": "NVD",
"id": "CVE-2001-1102"
}
]
},
"credits": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/credits#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "This vulnerability was announced by Alan Darien \u003cadarien@securetrendz.com\u003e via Bugtraq on September 8, 2001.",
"sources": [
{
"db": "BID",
"id": "3300"
}
],
"trust": 0.3
},
"cve": "CVE-2001-1102",
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [
{
"accessComplexity": "HIGH",
"accessVector": "LOCAL",
"authentication": "NONE",
"author": "nvd@nist.gov",
"availabilityImpact": "COMPLETE",
"baseScore": 6.2,
"confidentialityImpact": "COMPLETE",
"exploitabilityScore": 1.9,
"id": "CVE-2001-1102",
"impactScore": 10.0,
"integrityImpact": "COMPLETE",
"severity": "MEDIUM",
"trust": 1.0,
"vectorString": "AV:L/AC:H/Au:N/C:C/I:C/A:C",
"version": "2.0"
},
{
"accessComplexity": "HIGH",
"accessVector": "LOCAL",
"authentication": "NONE",
"author": "VULHUB",
"availabilityImpact": "COMPLETE",
"baseScore": 6.2,
"confidentialityImpact": "COMPLETE",
"exploitabilityScore": 1.9,
"id": "VHN-3907",
"impactScore": 10.0,
"integrityImpact": "COMPLETE",
"severity": "MEDIUM",
"trust": 0.1,
"vectorString": "AV:L/AC:H/AU:N/C:C/I:C/A:C",
"version": "2.0"
}
],
"cvssV3": [],
"severity": [
{
"author": "nvd@nist.gov",
"id": "CVE-2001-1102",
"trust": 1.0,
"value": "MEDIUM"
},
{
"author": "CNNVD",
"id": "CNNVD-200109-022",
"trust": 0.6,
"value": "MEDIUM"
},
{
"author": "VULHUB",
"id": "VHN-3907",
"trust": 0.1,
"value": "MEDIUM"
}
]
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-3907"
},
{
"db": "CNNVD",
"id": "CNNVD-200109-022"
},
{
"db": "NVD",
"id": "CVE-2001-1102"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Check Point FireWall-1 3.0b through 4.1 for Solaris allows local users to overwrite arbitrary files via a symlink attack on temporary policy files that end in a .cpp extension, which are set world-writable. Check Point Firewall-1 is a commercial firewall implementation designed for small to enterprise sized networks. \nA problem with Firewall-1 has been discovered that makes it possible for a local user to change the permissions of root-owned files to world-writable, and potentially gain elevated privileges. The problem is in the creation of predictable /tmp files. Upon editing firewall rules and committing them, a file is created in /tmp using the name of the policy as a filename, and .cpp as an extension. \nIt\u0027s possible for a local user to create symbolic links to root-owned files, which will result in the files becoming world-writable, and potentially gain local root access. The file\u0027s attributes are set to rw-rw-rw- (666), which allows anyone to modify the file. Since the file is not checked whether it is a link file when the file is created, an attacker can create a file in any directory through a link attack. If an attacker has permission to compile firewall policies and has access to the system where the firewall resides, this vulnerability could be exploited to elevate privileges",
"sources": [
{
"db": "NVD",
"id": "CVE-2001-1102"
},
{
"db": "BID",
"id": "3300"
},
{
"db": "VULHUB",
"id": "VHN-3907"
}
],
"trust": 1.26
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "NVD",
"id": "CVE-2001-1102",
"trust": 2.0
},
{
"db": "BID",
"id": "3300",
"trust": 2.0
},
{
"db": "CNNVD",
"id": "CNNVD-200109-022",
"trust": 0.7
},
{
"db": "BUGTRAQ",
"id": "20010908 BUG IN COMPILE PORTION FOR OLDER VERSIONS OF CHECKPOINT FIREWALLS",
"trust": 0.6
},
{
"db": "XF",
"id": "7094",
"trust": 0.6
},
{
"db": "XF",
"id": "1",
"trust": 0.6
},
{
"db": "VULHUB",
"id": "VHN-3907",
"trust": 0.1
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-3907"
},
{
"db": "BID",
"id": "3300"
},
{
"db": "CNNVD",
"id": "CNNVD-200109-022"
},
{
"db": "NVD",
"id": "CVE-2001-1102"
}
]
},
"id": "VAR-200109-0013",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "VULHUB",
"id": "VHN-3907"
}
],
"trust": 0.01
},
"last_update_date": "2025-04-03T20:42:09.239000Z",
"problemtype_data": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"problemtype": "NVD-CWE-Other",
"trust": 1.0
}
],
"sources": [
{
"db": "NVD",
"id": "CVE-2001-1102"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 1.7,
"url": "http://www.securityfocus.com/bid/3300"
},
{
"trust": 1.7,
"url": "http://www.securityfocus.com/archive/1/212824"
},
{
"trust": 1.1,
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/7094"
},
{
"trust": 0.6,
"url": "http://xforce.iss.net/static/7094.php"
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-3907"
},
{
"db": "CNNVD",
"id": "CNNVD-200109-022"
},
{
"db": "NVD",
"id": "CVE-2001-1102"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "VULHUB",
"id": "VHN-3907"
},
{
"db": "BID",
"id": "3300"
},
{
"db": "CNNVD",
"id": "CNNVD-200109-022"
},
{
"db": "NVD",
"id": "CVE-2001-1102"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2001-09-08T00:00:00",
"db": "VULHUB",
"id": "VHN-3907"
},
{
"date": "2001-09-08T00:00:00",
"db": "BID",
"id": "3300"
},
{
"date": "2001-09-08T00:00:00",
"db": "CNNVD",
"id": "CNNVD-200109-022"
},
{
"date": "2001-09-08T04:00:00",
"db": "NVD",
"id": "CVE-2001-1102"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2017-12-19T00:00:00",
"db": "VULHUB",
"id": "VHN-3907"
},
{
"date": "2009-07-11T07:56:00",
"db": "BID",
"id": "3300"
},
{
"date": "2006-01-04T00:00:00",
"db": "CNNVD",
"id": "CNNVD-200109-022"
},
{
"date": "2025-04-03T01:03:51.193000",
"db": "NVD",
"id": "CVE-2001-1102"
}
]
},
"threat_type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/threat_type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "local",
"sources": [
{
"db": "BID",
"id": "3300"
},
{
"db": "CNNVD",
"id": "CNNVD-200109-022"
}
],
"trust": 0.9
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Check Point Firewall-1 Policy Compilation Symbolic Linkhole",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-200109-022"
}
],
"trust": 0.6
},
"type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "competitive condition",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-200109-022"
}
],
"trust": 0.6
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…