SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (VPN)  >   FireWall-1/VPN-1 Vendors:   Check Point
Check Point VPN-1 SecureClient Lets Local Users Bypass Security Policy
SecurityTracker Alert ID:  1015326
SecurityTracker URL:  http://securitytracker.com/id/1015326
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Dec 7 2005
Impact:   Modification of system information
Exploit Included:  Yes  
Version(s): SecureClient NGX
Description:   A vulnerability was reported in Check Point VPN-1 SecureClient. A local user can disable the security policy.

A local user can copy the remotely supplied policy file (local.scv) to a file with a different name. Then, the user can edit the new file and create a batch file that, in a loop, continuously copies the new file to the old file name. When the SecureClient is started, the original remotely supplied policy will not be enforced.

Viktor Steinmann reported this vulnerability.

Impact:   A local user can disable the security policy.
Solution:   No solution was available at the time of this entry.
Vendor URL:  www.checkpoint.com/ (Links to External Site)
Cause:   Access control error

Message History:   None.


 Source Message Contents

Subject:  [Full-disclosure] Checkpoint SecureClient NGX Security Policy can

Situation: Employees should be allowed to access your company network from
remote by VPN. You want to make sure, that only the hardware of your own
company is allowed to access the network on the VPN. This because your company
hardware uses a hardened operating system (personal firewall, virusscanner
etc.) and you want to make sure, that no viruses/trojans etc. are transported
into your company network by the VPN from badly configured hardware and/or home
networks of your employees.

Solution: Checkpoint SecureClient enforces a policy on the VPN Client, which you
can define on the VPN Endpoint you log on to (the firewall). Furthermore
SecureClient includes a personal firewall, which protects the VPN Client from
the network around him. Every time the VPN Client opens the VPN tunnel, the
policy is updated, so you can be sure, that your policy is the latest one. In
the above situation, you would create a policy, which checks several
parameters, to ensure the workstation is one of yours, e.g. check the windows
serial number, check a specific process which must be running, you could even
check the CPUID.

Checkpoints Datasheet
(http://www.checkpoint.com/products/downloads/vpn-1_clients_datasheet.pdf)
says:
"VPN-1 SecureClient strengthens enterprise security by ensuring client machines
cannot be configured to circumvent the enterprise security policy."

So far, so good.

Now we've found a way, to disable that security policy very easily (a 3 line
batch is all it needs). This means, that people who have a login to your VPN
site can use whatever hardware they like. No secuity policy is enforced, no
personal firewall is running - but the VPN part works.

And now to the sugar part: The Procedure that makes it work:

Step a) Download SecureClient from the Checkpoint Website
Step b) Install SecureClient
Step c) Connect to the VPN Endpoint (which will download the policy)
Step d) Copy the downloaded policy (local.scv) to a different name (e.g. x.scv)
Step e) Shutdown SecureClient
Step f) Create a Batch-File, that looks like this

:Loop
copy x.scv local.scv
goto Loop

Step g) Edit x.scv to suit your needs (so you fulfill the policy)
Step h) Run your batch
Step i) Start SecureClient
Step j) Connect to the VPN Endpoint and be surprised, that this stupid trick
works...

Cheers,
Viktor

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC