lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-Id: <20080207173218.E02CC8BCEE@mail.fjaunet.com.br>
Date: Thu, 7 Feb 2008 15:32:18 -0000
From: "Rodrigo Rubira Branco (BSDaemon)" <rodrigo@...nelhacking.com>
To: "Michael Neal Vasquez" <mnv@...mni.princeton.edu>,
	"full-disclosure@...ts.grok.org.uk"@fjaunet.com.br,
	"bugtraq@...urityfocus.com"@fjaunet.com.br
Subject: Re: Checkpoint SecuRemote/Secure Client NGX Auto
	Local Logon Vulnerability

Or better... how to be Bill Gates, if Bill Gates uses a CheckPoint VPN
Client AND you have access to some machine he used.

I agree it´s a medium problem... why try to make it so special?



cya,


Rodrigo (BSDaemon).

--
http://www.kernelhacking.com/rodrigo

Kernel Hacking: If i really know, i can hack

GPG KeyID: 1FCEDEA1


--------- Mensagem Original --------
De: Michael Neal Vasquez <mnv@...mni.princeton.edu>
Para: full-disclosure@...ts.grok.org.uk <full-disclosure@...ts.grok.org.uk>,
bugtraq@...urityfocus.com <bugtraq@...urityfocus.com>
Assunto: [Full-disclosure] Checkpoint SecuRemote/Secure Client NGX Auto
Local Logon Vulnerability
Data: 07/02/08 14:15

>
> http://www.digihax.com
>
> Bulletin Release 02.06.08
>
> Checkpoint SecuRemote/Secure Client NGX Auto Local Logon Vulnerability
> (Or, How to Be Bill Gates, if Bill Gates uses a CheckPoint VPN Client)
>
> Discovery Date:
> December 13, 2007
>
> Vendor Release Date:
> February 6, 2008
>
> Severity:
> Impersonation of users. What's your VPN protecting?
> Checkpoint says.... MEDIUM
>
> Vendor:
> Checkpoint
>
> Systems Affected:
> VPN-1 SecuRemote/SecureClienetNGX R60 for Windows VPN-1
> SecuRemote/SecureClient NGAI R56 for Windows Earlier versions may be
> affected as well
>
> Overview:
> Issues with credential storage in the registry allow anyone with read
> access to the registry to utilize stored credentials to login and
> impersonate the user who stored their credentials.
>
> Technical Details:
> Sorry, no sexxy buffer overflow! However, you too can be an
> authenticated VPN user!
> Checkpoint's VPN client has an option to store credentials. All users
> have read access to the registry key where these are stored. A user
> can export this registry key, install the software, and configure it
> to cache credentials. Then, import the registry and connect. No
> prompting, and you are now the alternate user. Bad hacker, bad!
>
> Scenario:
> A user has enabled the Auto Local Logon option in the client, and
> stored their credentials.  These credentials are kept in the registry,
> under HKLMSoftwareCheckpointSecuRemote.  Credentials are
> specifically under the subkey named…. &quot;Credentials&quot;… sneaky!
> Permissions for the Checkpoint key are set to Everyone – Full Control.
> This means anyone with a local logon to the machine, or any
> administrator from a remote machine, if remote registry access is
> enabled, can view and export this key.  Next step: Install the client
> on another machine, and reboot as required.  Configure Auto Local
> Logon, and create a site, but provide no credentials.  Import the key.
>  You are now the other person.  Probably not Bill Gates, but still,
> messy.
>
> Fix:
> Disable the caching of credentials. Who's a fan of that anyway.
> Alternately, see the vendor fix below.
>
> Vendor Status:
> Checkpoint has released a bulletin for this issue, at:
>
https://supportcenter.checkpoint.com/supportcenter/PublicLoginRedirect.jsp?toURL=eventSubmit_doGoviewsolutiondetails=%26solutionid=sk34315
> Good job, Check Point! Thanks for all the follow through, I'd work
> with you guys again. Vendor timeline below.
>
> Credit:
> MN Vasquez
>
> Greetings:
> &lt;3 4 God, nothing else matters.   Props to #13 Kurt Warner, Ron
> Wolfley &amp; Johnny Long, who &quot;get it&quot;.  Miss u dad.
> BOC 4 lyfe!, 'sup to Debuc, Mekt, and jhs87. Thanks to the fam, &amp; mom
> for everything.
> Danielle - I love you!
> Ang - I am so proud of you!
>
> &amp; hey.  Can we get &quot;Heroes&quot; back on the air already?  Kthx.
>
> Vendor Timeline
> 12.13.2007: Vendor notified via support portal
> 12.13.2007: Vendor escalated to security team
> 12.14.2007: Vendor requested more detail, detail provided
> 12.19.2007: Vendor confirmed and scheduled initial fix by 1.23.2008
> 1.16.2008: Vendor requested delay til ~2.4.2008
> 2.4.2008: Vendor confirmed release date of 2.5.2008 @ 4:00pm PST
> 2.5.2008: Vendor released bulletin on website, no customer notification
> 2.6.2006: Vendor reports they notified customers at 4:00PM PST
>
> Copyright (c) 2008 Mike Vasquez
> You can redistribute electronically, but don't edit it in any way
> without the express permission of Mike Vasquez. Any reprint of this
> alert, in whole or in part in any non-electronic medium must have
> permission, email mnv at alumni dot princeton dot edu.
>
> Disclaimer
> This alert may change without notice. Use of this info constitutes
> acceptance for use AS IS. No warranties are implied or expressed. I'm
> not liable for direct or indirect damages arising from the use or
> distribution of this information. Use it at your own risk.
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
>
>
>

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ