Check Point Connectra R62 Login Script Injection Vulnerability scip AG Vulnerability ID 4020 (09/04/2009) http://www.scip.ch/?vuldb.4020 I. INTRODUCTION Check Point Connectra is a so-called SSL-VPN solution, which allows users to access a remote system using a regular web browser. More information is available on the official product web site at the following URL[1]: http://www.checkpoint.com/products/connectra/index.html II. DESCRIPTION Stefan Friedli at scip AG (Switzerland) found an input validation error within the current release, which enabled an attacker to perform various web-based attacks. The initial logon script at /Login/Login, that is being used for unauthenticated users to log in, fails to perform proper input validation on the data that is being submitted via HTTP POST. While certain fields are escaped before being sent back to users browser, the parameter "vpid_prefix" lacks any validation and is therefore vulnerable to script injection. Other parts of the application might be affected too. This vulnerability has been tested on version R62, other versions might be affected as well. III. EXPLOITATION Classic script injection techniques and unexpected input data within a browser session can be used to exploit these vulnerabilities. The target application does actually check for certain patterns and prevents an attacker from using easy exploiting strings containing substrings like "script", "javascript", "alert" or similar. However, we consider this to be an imperfect mechanism that is unable to prevent an attack using a more sophisticated payload. For a selection, you might want to check RSnakes popular XSS Cheat Sheet[2], which contains several patterns not being detected by the filter in place, allowing you execute any arbitrary, externally hosted payload. We exploited the vulnerability for a customer in order to proof the possibility to capture usernames and passwords. One of the possibilities mentioned above is, to embed a remote flash file and grant it the permission to execute script code. Vulnerable Variable Value: vpid_prefix = "> --- CUT END --- IV. IMPACT Because non-authenticated parts of the software are affected, this vulnerability is serious for every secure environment. Non-authenticated users might be able to exploit this flaw to gain elevated privileges in the target environment (e.g. extracting sensitive cookie information or login information) or to perform any other form of web-based attacks. Due to the fact that the application will often be allowed to make use of ActiveX, it can also be used as a springboard to inject other payloads, for example MS09-037[3] or any other vulnerability disclosed lately, that might be exploited using a web browser. Because other parts of the application might be affected too - this could include some second order vulnerabilities - a severe attack scenario might be possible. V. DETECTION Detection of web based attacks requires a specialized web proxy and/or intrusion detection system. Patterns for such a detection are available and easy to implement. Usually the mathematical or logical symbols for less-than (<) and greater-than (>) are required to propose a HTML tag. In some cases single (') or double quotes (") are required to inject the code in a given HTML statement. Some implementation of security systems are looking for well-known attack tags as like