exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

CheckPoint/Sofaware Firewall XSS / CSRF / Redirection / Disclosure

CheckPoint/Sofaware Firewall XSS / CSRF / Redirection / Disclosure
Posted Nov 2, 2012
Authored by ProCheckUp, Richard Brain | Site procheckup.com

CheckPoint/Sofaware firewalls suffer from redirection, cross site request forgery, cross site scripting, and information disclosure vulnerabilities.

tags | exploit, vulnerability, xss, info disclosure, csrf
SHA-256 | 5ae76cdada41d919af4e21bd1b0d36824ad80b60a77057ebb204db615d421663

CheckPoint/Sofaware Firewall XSS / CSRF / Redirection / Disclosure

Change Mirror Download
ProCheckUp Research

http://procheckup.com/procheckup-labs/pr11-07.aspx

PR11-07 Multiple peristent XSS, XSS, XSRF, offsite redirection and information disclosure flaws within CheckPoint/Sofaware firewalls

Vulnerability found: 3rd May 2011

Vendor informed: 20th July 2011

Vulnerability fixed: 16th October 2011/14 December 2011

Severity: High

Description:

CheckPoint/Sofaware firewalls are popular compact UTM (Unified Threat Management) devices, commonly found deployed in corporate satellite offices sometimes even within private households. ProCheckUp has discovered that multiple peristent XSS, XSS, XSRF, offsite redirection and information disclosure vulnerabilities exist within these firewalls. Which might allow the protective nature of the firewall to be subverted, placing internal users at risk from attack.

Please see our paper titled "Checkpoint/SofaWare Firewall Vulnerability Research", for more better details.


Tested on versions 7.5.48x, 8.1.46x and 8.2.2x.


1) The following demonstrate the reflective XSS flaws:-

a) The Ufp.html page is vulnerable to XSS via the url parameter
It works by submitting a malicious url parameter to the ufp.html page
http://192.168.10.1/pub/ufp.html?url="><script>alert(1)</script>&mask=000&swpreview=1

This works with firmware versions 7.5.48x, 8.1.46x and 8.2.2x.

b) The login page is also vulnerable to an XSS via the malicious session cookie
It works by submitting a malicious session cookie to the login page
Cookie: session="><script>alert(1)</script>

c) An authenticated XSS exists within the diagnostics command
http://192.168.10.1/diag_command.html?sw__ver=blah1&swdata=blah2&sw__custom='");alert(1);//
(this might need to be submitted twice)


Consequences:
An attacker may be able to cause execution of malicious scripting code in the browser of a user who clicks on a link to Checkpoint firewall hosted page. Such code would run within the security context of the target domain. This type of attack can result in non-persistent defacement of the target site, or the redirection of confidential information (i.e.: session IDs) to unauthorised third parties.

2) The following demonstrate the persistent XSS flaws and XSRF flaws:-

a) The blocked URL warning page is vulnerable to a persistent XSS attack placing any internal users at risk of attack when the page is displayed.

First an attacker has to trick the administrator to follow a XSRF attack; the (swsessioncookie) session cookie for simplicity sake is shown though JavaScript document.cookie can be used to subvert this protection (see paper).
http://192.168.10.1/UfpBlock.html?swcaller=UfpBlock.html&swsessioncookie=20KHYp5-oS7rKmS-a4rq4j&swsave=1&ufpblockhttps=0&ufpbreakframe=&backurl=WebRules.html&ufpblockterms=%22%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E

Firewall users then visiting blocked sites will have the blocked page displayed and the attack carried out.
http://192.168.10.1/pub/ufp.html?url=www.blockedUrl.com&mask=000&swpreview=1

b) The Wi-Fi hotspot landing page on Wi-Fi enabled firewalls is also vulnerable, with any user using the Wi-Fi access point being at risk.

First an attacker has to trick the administrator to follow a XSRF attack, the (swsessioncookie) session cookie for simplicity sake is shown though JavaScript document.cookie can be used to subvert this protection (see paper).
http://192.168.10.1/HotSpot.html?swcaller=HotSpot.html&swsessioncookie=20KHYp5-oS7rKmS-a4rq4j&swsave=1&hotspotnets=00000000000000000000000000000000000000&hotspotpass=1&hotspotmulti=1&hotspothttps=0&hotspotnet1=0&hotspotnet2=0&hotspotnet3=0&hotspotenf=0&hotspottitle=Welcome+to+My+HotSpot&hotspotterms=%22%3E%3Cscript%3Ealert%282%29%3C%2Fscript%3E&thotspotpass=on&thotspotmulti=on

Firewall users then visiting the Wi-Fi landing page will then have the attack carried out.
http://192.168.10.1/pub/hotspot.html?swpreview=1


Consequences:
An attacker may be able to cause execution of malicious scripting code in the browser of a user who clicks on a link to Checkpoint firewall hosted page. Such code would run within the security context of the target domain. Using persistent XSS attacks the attacker does not have to trick his victims to visit his malicious page, as the malicious code is stored by and becomes part of the webpage.


3) The following demonstrate the (authenticated) offsite redirection flaws:-

a) Enter the following URL to redirect
http://192.168.10.1/12?swcaller=http://www.procheckup.com

b) Enter the following URL and then press back button.
http://192.168.10.1/UfpBlock.html?backurl=http://www.procheckup.com

Consequences:
Offsite redirection is typically used to perform phishing type attacks, by fooling an authenticated user to re-enter authentication details in an external site.

4) The following demonstrate the Information disclosure flaws (no authentication needed)
It was found that the /pub/test.html program disclosed information, regarding the patch level used, licensing and the MAC addresses to unauthenticated users.

a) On early firmware versions 5.0.82x, 6.0.72x & 7.0.27x 7.5.48x
Just requesting http:// 192.168.10.1/pub/test.html is sufficient

b) However this no longer worked on versions 8.1.46x & 8.2.26x however adding the URL parameter and a double quote bypassed this check
https:// 192.168.10.1/pub/test.html?url="


Consequences:
An attacker may be able to obtain additional information on the machines configuration, and use this information to carry out further attacks.

Fix:
Upgrade to firmware version 8.2.44 or higher, which solves these vulnerabilities
https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk65460

References:
http://www.procheckup.com/Vulnerabilities.php


Credits: Richard Brain of ProCheckUp Ltd (www.procheckup.com)


Legal:
Copyright 2012 Procheckup Ltd. All rights reserved.

Permission is granted for copying and circulating this Bulletin to the Internet community for the purpose of alerting them to problems, if and only if, the Bulletin is not edited or changed in any way, is attributed to Procheckup, and provided such reproduction and/or distribution is performed for non-commercial purposes.

Any other use of this information is prohibited. Procheckup is not liable for any misuse of this information by any third party.


Login or Register to add favorites

File Archive:

October 2022

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Oct 1st
    10 Files
  • 2
    Oct 2nd
    0 Files
  • 3
    Oct 3rd
    12 Files
  • 4
    Oct 4th
    15 Files
  • 5
    Oct 5th
    18 Files
  • 6
    Oct 6th
    0 Files
  • 7
    Oct 7th
    0 Files
  • 8
    Oct 8th
    0 Files
  • 9
    Oct 9th
    0 Files
  • 10
    Oct 10th
    0 Files
  • 11
    Oct 11th
    0 Files
  • 12
    Oct 12th
    0 Files
  • 13
    Oct 13th
    0 Files
  • 14
    Oct 14th
    0 Files
  • 15
    Oct 15th
    0 Files
  • 16
    Oct 16th
    0 Files
  • 17
    Oct 17th
    0 Files
  • 18
    Oct 18th
    0 Files
  • 19
    Oct 19th
    0 Files
  • 20
    Oct 20th
    0 Files
  • 21
    Oct 21st
    0 Files
  • 22
    Oct 22nd
    0 Files
  • 23
    Oct 23rd
    0 Files
  • 24
    Oct 24th
    0 Files
  • 25
    Oct 25th
    0 Files
  • 26
    Oct 26th
    0 Files
  • 27
    Oct 27th
    0 Files
  • 28
    Oct 28th
    0 Files
  • 29
    Oct 29th
    0 Files
  • 30
    Oct 30th
    0 Files
  • 31
    Oct 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Hosting By
Rokasec
close