# 264/tcp - Pentesting Check Point Firewall

Tip

Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Learn & practice Az Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks

It’s possible to interact with CheckPoint Firewall-1 firewalls to discover valuable information such as the firewall’s name and the management station’s name. This can be done by sending a query to the port 264/TCP.

Obtaining Firewall and Management Station Names

Using a pre-authentication request, you can execute a module that targets the CheckPoint Firewall-1. The necessary commands for this operation are outlined below:

use auxiliary/gather/checkpoint_hostname
set RHOST 10.10.10.10

Upon execution, the module attempts to contact the firewall’s SecuRemote Topology service. If successful, it confirms the presence of a CheckPoint Firewall and retrieves the names of both the firewall and the SmartCenter management host. Here’s an example of what the output might look like:

[*] Attempting to contact Checkpoint FW1 SecuRemote Topology service...
[+] Appears to be a CheckPoint Firewall...
[+] Firewall Host: FIREFIGHTER-SEC
[+] SmartCenter Host: FIREFIGHTER-MGMT.example.com
[*] Auxiliary module execution completed

Alternative Method for Hostname and ICA Name Discovery

Another technique involves a direct command that sends a specific query to the firewall and parses the response to extract the firewall’s hostname and ICA name. The command and its structure are as follows:

printf '\x51\x00\x00\x00\x00\x00\x00\x21\x00\x00\x00\x0bsecuremote\x00' | nc -q 1 10.10.10.10 264 | grep -a CN | cut -c 2-

The output from this command provides detailed information regarding the firewall’s certificate name (CN) and organization (O), as demonstrated below:

CN=Panama,O=MGMTT.srv.rxfrmi

HTTP Security Server Format String Bug (CAN-2004-0039)

Affected builds: NG FCS, NG FP1, NG FP2, NG FP3 HF2, and NG with Application Intelligence R54/R55.
Requirement: The HTTP Security Server or AI HTTP proxy must be enabled and transparently inspecting the targeted port; if HTTP inspection is disabled the vulnerable code path is never reached.

Triggering the error handler

The proxy rejects malformed HTTP messages and builds its own error page with sprintf(errbuf, attacker_string);, letting attacker-controlled bytes act as the format string. Send an invalid request through the firewall and look for a proxy-generated error that reflects your payload:

printf 'BOGUS%%08x%%08x%%08x%%n HTTP/1.0\r\nHost: internal.local\r\n\r\n' | nc -nv [FIREWALL_IP] 80

If HTTP inspection is active, the firewall (not the backend server) answers immediately, proving the middlebox parsed and replayed the request line.

Exploitation

Format string primitive

  • Force the parser into the error routine (invalid method, URI, or headers).
  • Place attacker-controlled dwords up front so %x, %s, and %n directives treat them as stack arguments.
  • Use %x/%s to leak pointers, then %n/%hn to write the formatted byte count into chosen addresses, overwriting return pointers, vtables, or heap metadata before hijacking execution with injected shellcode or ROP.

Heap overflow primitive

The same unsafe sprintf() writes into a fixed-size heap buffer. Mix a long request body with oversized directives (e.g., %99999x) so the formatted output overruns the allocation and corrupts adjacent heap structures, letting you forge freelist pointers or function tables that are later dereferenced.

Impact

Compromise of the proxy grants code execution inside the firewall process (SYSTEM on Windows appliances, root on UNIX), enabling rule manipulation, traffic interception, and pivoting deeper into the management network.

References

Tip

Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Learn & practice Az Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks