Hello everyone, I work at one of the Checkpoint TACs. We had a little internal contest to see if we could get doom running on a Checkpoint firewall for fun. I managed to get it done and just finished the SK. Feel free to take a look at sk164752 for how it was done. It is general access so anyone should be able to view it.
Needless to say do not try this in production, you are increasing the attack surface of the operating system significantly by doing so.
Edit: It looks like management decided to make the SK internal, sorry guys.
Edit2: They did ok it to be posted on checkmates though, Please see below.
Symptoms
Solution
Please note this procedure is not supported and not secure
Under no circumstances should this be done in a production environment
This is a proof of concept and for fun
Pre-requisites
-
An R80.30 Gateway running the 3.10 kernel as per sk152652
-
A bootable Ubuntu Live image - link
-
More spare time than sense
Installing a Debian chroot
-
Boot the R80.30 3.10 gateway from the Ubuntu Live Image
-
Ensure the live OS has an internet connection
-
Once booted installed debootstrap
-
Create a working environment and mount the Gaia file system
-
We will be installing Debian Jessie in the chroot, this is because Jessie runs Kernel 3.16 which is very close to the gaia Kernel 3.10. This will help ensure things run smoother.
-
Create the chroot environment, if you choose another chroot OS be sure to change the path
-
Use the following command to install Jessie this may take some time
-
Once complete reboot and remove the Ubuntu installation media
Prepare the Chroot
Start of script
#!/bin/bash
mount --bind /proc /chroot/jessie/proc
mount --bind /sys /chroot/jessie/sys
mount --bind /dev /chroot/jessie/dev
mount --bind /dev/pts /chroot/jessie/dev/pts
End of script
Configure the Chroot
-
Set the dns server by adding a dns server of your preference to /etc/resolv.conf with vi
-
Install vim because vi is terrible, the default repositories should be able to do this.
-
apt update
-
apt install vim
-
add the gaia hostname to /etc/hosts see below for an example, my hostname is DOOM
-
add a complete list of jessie repositories to /etc/apt/sources.list by matching the contents below using vim
Start of sources.list
deb http://httpredir.debian.org/debian jessie main non-free contrib
deb-src http://httpredir.debian.org/debian jessie main non-free contrib
deb http://security.debian.org/debian-security jessie/updates main contrib non-free
deb-src http://security.debian.org/debian-security jessie/updates main contrib non-free
End of sources.list
Create a non-root user
Installing the desktop
-
Ensure the debian software selection with the following command
-
Using the arrow keys and space bar select "Debian Desktop Environment" & "Xfce"
-
Use tab to select OK and enter to continue.
-
Wait for the needed packages to install (this will take several minutes)
-
You will be prompted to select your keyboard layout during this process, do so.
-
Once complete you will be back at the terminal
-
Installing the desktop will have overwritten /etc/resolv.conf
-
Installing the desktop may have overwritten the hostname inside the chroot
-
test the hostname to see if its changed by using the hostname command
-
if it has changed, change it back by using the hostname command example below
-
hostname DOOM
-
make sure to edit the /etc/hostname file to match so it survives reboot
-
Install xrdp
-
exit the chroot (just type exit in the terminal)
-
add the following line to the jessie.sh script
-
Ensure that your firewall policy is either unloaded (fw unloadlocal) or add firewall rules that allow port 3389
-
re-add the full repository list as per the "Configure the Chroot" section, ensure you "apt update"
Login to the GUI and install DOOM
-
RDP to an ip of the gateway that is reachable
-
Use the default sesman-Xvnc module
-
Provide the username and password (do not log in with root use the non-root user we created earlier)
-
If all went well you should see the desktop
-
Open a terminal and install DOOM
-
Start DOOM
Doom running on a Gaia firewall, note the xfce4 and xrdp processes running in attached screenshot.