lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Wed Dec  7 14:42:44 2005
From: j.schipper at math.uu.nl (Joachim Schipper)
Subject: Checkpoint SecureClient NGX Security Policy can
	easily be disabled

On Wed, Dec 07, 2005 at 12:54:02PM +0100, Viktor Steinmann wrote:
> (...) Checkpoint SecureClient enforces a policy on the VPN Client,
> which you can define on the VPN Endpoint you log on to (the firewall).
> Furthermore SecureClient includes a personal firewall, which protects
> the VPN Client from the network around him. Every time the VPN Client
> opens the VPN tunnel, the policy is updated, so you can be sure, that
> your policy is the latest one. In the above situation, you would
> create a policy, which checks several parameters, to ensure the
> workstation is one of yours, e.g. check the windows serial number,
> check a specific process which must be running, you could even check
> the CPUID.
> 
> Checkpoints Datasheet
> (http://www.checkpoint.com/products/downloads/vpn-1_clients_datasheet.pdf)
> says:
> "VPN-1 SecureClient strengthens enterprise security by ensuring client
> machines cannot be configured to circumvent the enterprise security
> policy."
> 
> So far, so good.
> 
> Now we've found a way, to disable that security policy very easily (a
> 3 line batch is all it needs). This means, that people who have a
> login to your VPN site can use whatever hardware they like. No secuity
> policy is enforced, no personal firewall is running - but the VPN part
> works.
> 
> And now to the sugar part: The Procedure that makes it work:
> 
> Step a) Download SecureClient from the Checkpoint Website
> Step b) Install SecureClient
> Step c) Connect to the VPN Endpoint (which will download the policy)
> Step d) Copy the downloaded policy (local.scv) to a different name
> (e.g. x.scv)
> Step e) Shutdown SecureClient
> Step f) Create a Batch-File, that looks like this
> 
> :Loop
> copy x.scv local.scv
> goto Loop
> 
> Step g) Edit x.scv to suit your needs (so you fulfill the policy)
> Step h) Run your batch
> Step i) Start SecureClient
> Step j) Connect to the VPN Endpoint and be surprised, that this stupid
> trick works...

Actually, be not very surprised at all. It's a little surprising that it
is *this* easy to bypass it, but hardly surprising that this flawed
concept doesn't work.

		Joachim

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ