[Full-disclosure] Checkpoint SecuRemote/Secure Client NGX Auto Local Logon Vulnerability
Rodrigo Rubira Branco (BSDaemon)
rodrigo at kernelhacking.com
Thu Feb 7 15:32:18 GMT 2008
Or better... how to be Bill Gates, if Bill Gates uses a CheckPoint VPN
Client AND you have access to some machine he used.
I agree it´s a medium problem... why try to make it so special?
Kernel Hacking: If i really know, i can hack
GPG KeyID: 1FCEDEA1
--------- Mensagem Original --------
De: Michael Neal Vasquez <mnv at alumni.princeton.edu>
Para: full-disclosure at lists.grok.org.uk <full-disclosure at lists.grok.org.uk>,
bugtraq at securityfocus.com <bugtraq at securityfocus.com>
Assunto: [Full-disclosure] Checkpoint SecuRemote/Secure Client NGX Auto
Local Logon Vulnerability
Data: 07/02/08 14:15
> Bulletin Release 02.06.08
> Checkpoint SecuRemote/Secure Client NGX Auto Local Logon Vulnerability
> (Or, How to Be Bill Gates, if Bill Gates uses a CheckPoint VPN Client)
> Discovery Date:
> December 13, 2007
> Vendor Release Date:
> February 6, 2008
> Impersonation of users. What's your VPN protecting?
> Checkpoint says.... MEDIUM
> Systems Affected:
> VPN-1 SecuRemote/SecureClienetNGX R60 for Windows VPN-1
> SecuRemote/SecureClient NGAI R56 for Windows Earlier versions may be
> affected as well
> Issues with credential storage in the registry allow anyone with read
> access to the registry to utilize stored credentials to login and
> impersonate the user who stored their credentials.
> Technical Details:
> Sorry, no sexxy buffer overflow! However, you too can be an
> authenticated VPN user!
> Checkpoint's VPN client has an option to store credentials. All users
> have read access to the registry key where these are stored. A user
> can export this registry key, install the software, and configure it
> to cache credentials. Then, import the registry and connect. No
> prompting, and you are now the alternate user. Bad hacker, bad!
> A user has enabled the Auto Local Logon option in the client, and
> stored their credentials. These credentials are kept in the registry,
> under HKLMSoftwareCheckpointSecuRemote. Credentials are
> specifically under the subkey named
> Permissions for the Checkpoint key are set to Everyone Full Control.
> This means anyone with a local logon to the machine, or any
> administrator from a remote machine, if remote registry access is
> enabled, can view and export this key. Next step: Install the client
> on another machine, and reboot as required. Configure Auto Local
> Logon, and create a site, but provide no credentials. Import the key.
> You are now the other person. Probably not Bill Gates, but still,
> Disable the caching of credentials. Who's a fan of that anyway.
> Alternately, see the vendor fix below.
> Vendor Status:
> Checkpoint has released a bulletin for this issue, at:
> Good job, Check Point! Thanks for all the follow through, I'd work
> with you guys again. Vendor timeline below.
> MN Vasquez
> <3 4 God, nothing else matters. Props to #13 Kurt Warner, Ron
> Wolfley & Johnny Long, who "get it". Miss u dad.
> BOC 4 lyfe!, 'sup to Debuc, Mekt, and jhs87. Thanks to the fam, & mom
> for everything.
> Danielle - I love you!
> Ang - I am so proud of you!
> & hey. Can we get "Heroes" back on the air already? Kthx.
> Vendor Timeline
> 12.13.2007: Vendor notified via support portal
> 12.13.2007: Vendor escalated to security team
> 12.14.2007: Vendor requested more detail, detail provided
> 12.19.2007: Vendor confirmed and scheduled initial fix by 1.23.2008
> 1.16.2008: Vendor requested delay til ~2.4.2008
> 2.4.2008: Vendor confirmed release date of 2.5.2008 @ 4:00pm PST
> 2.5.2008: Vendor released bulletin on website, no customer notification
> 2.6.2006: Vendor reports they notified customers at 4:00PM PST
> Copyright (c) 2008 Mike Vasquez
> You can redistribute electronically, but don't edit it in any way
> without the express permission of Mike Vasquez. Any reprint of this
> alert, in whole or in part in any non-electronic medium must have
> permission, email mnv at alumni dot princeton dot edu.
> This alert may change without notice. Use of this info constitutes
> acceptance for use AS IS. No warranties are implied or expressed. I'm
> not liable for direct or indirect damages arising from the use or
> distribution of this information. Use it at your own risk.
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
Full-Disclosure is hosted and sponsored by Secunia.