Full Disclosure mailing list archives
Re: Checkpoint SecuRemote/Secure Client NGX Auto Local Logon Vulnerability
From: "Rodrigo Rubira Branco (BSDaemon)" <rodrigo () kernelhacking com>
Date: Thu, 7 Feb 2008 15:32:18 -0000
Or better... how to be Bill Gates, if Bill Gates uses a CheckPoint VPN Client AND you have access to some machine he used. I agree it´s a medium problem... why try to make it so special? cya, Rodrigo (BSDaemon). -- http://www.kernelhacking.com/rodrigo Kernel Hacking: If i really know, i can hack GPG KeyID: 1FCEDEA1 --------- Mensagem Original -------- De: Michael Neal Vasquez <mnv () alumni princeton edu> Para: full-disclosure () lists grok org uk <full-disclosure () lists grok org uk>, bugtraq () securityfocus com <bugtraq () securityfocus com> Assunto: [Full-disclosure] Checkpoint SecuRemote/Secure Client NGX Auto Local Logon Vulnerability Data: 07/02/08 14:15
http://www.digihax.com Bulletin Release 02.06.08 Checkpoint SecuRemote/Secure Client NGX Auto Local Logon Vulnerability (Or, How to Be Bill Gates, if Bill Gates uses a CheckPoint VPN Client) Discovery Date: December 13, 2007 Vendor Release Date: February 6, 2008 Severity: Impersonation of users. What's your VPN protecting? Checkpoint says.... MEDIUM Vendor: Checkpoint Systems Affected: VPN-1 SecuRemote/SecureClienetNGX R60 for Windows VPN-1 SecuRemote/SecureClient NGAI R56 for Windows Earlier versions may be affected as well Overview: Issues with credential storage in the registry allow anyone with read access to the registry to utilize stored credentials to login and impersonate the user who stored their credentials. Technical Details: Sorry, no sexxy buffer overflow! However, you too can be an authenticated VPN user! Checkpoint's VPN client has an option to store credentials. All users have read access to the registry key where these are stored. A user can export this registry key, install the software, and configure it to cache credentials. Then, import the registry and connect. No prompting, and you are now the alternate user. Bad hacker, bad! Scenario: A user has enabled the Auto Local Logon option in the client, and stored their credentials. These credentials are kept in the registry, under HKLMSoftwareCheckpointSecuRemote. Credentials are specifically under the subkey named . "Credentials" sneaky! Permissions for the Checkpoint key are set to Everyone Full Control. This means anyone with a local logon to the machine, or any administrator from a remote machine, if remote registry access is enabled, can view and export this key. Next step: Install the client on another machine, and reboot as required. Configure Auto Local Logon, and create a site, but provide no credentials. Import the key. You are now the other person. Probably not Bill Gates, but still, messy. Fix: Disable the caching of credentials. Who's a fan of that anyway. Alternately, see the vendor fix below. Vendor Status: Checkpoint has released a bulletin for this issue, at:
https://supportcenter.checkpoint.com/supportcenter/PublicLoginRedirect.jsp?toURL=eventSubmit_doGoviewsolutiondetails=%26solutionid=sk34315
Good job, Check Point! Thanks for all the follow through, I'd work with you guys again. Vendor timeline below. Credit: MN Vasquez Greetings: <3 4 God, nothing else matters. Props to #13 Kurt Warner, Ron Wolfley & Johnny Long, who "get it". Miss u dad. BOC 4 lyfe!, 'sup to Debuc, Mekt, and jhs87. Thanks to the fam, & mom for everything. Danielle - I love you! Ang - I am so proud of you! & hey. Can we get "Heroes" back on the air already? Kthx. Vendor Timeline 12.13.2007: Vendor notified via support portal 12.13.2007: Vendor escalated to security team 12.14.2007: Vendor requested more detail, detail provided 12.19.2007: Vendor confirmed and scheduled initial fix by 1.23.2008 1.16.2008: Vendor requested delay til ~2.4.2008 2.4.2008: Vendor confirmed release date of 2.5.2008 @ 4:00pm PST 2.5.2008: Vendor released bulletin on website, no customer notification 2.6.2006: Vendor reports they notified customers at 4:00PM PST Copyright (c) 2008 Mike Vasquez You can redistribute electronically, but don't edit it in any way without the express permission of Mike Vasquez. Any reprint of this alert, in whole or in part in any non-electronic medium must have permission, email mnv at alumni dot princeton dot edu. Disclaimer This alert may change without notice. Use of this info constitutes acceptance for use AS IS. No warranties are implied or expressed. I'm not liable for direct or indirect damages arising from the use or distribution of this information. Use it at your own risk. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Checkpoint SecuRemote/Secure Client NGX Auto Local Logon Vulnerability Michael Neal Vasquez (Feb 07)
- <Possible follow-ups>
- Re: Checkpoint SecuRemote/Secure Client NGX Auto Local Logon Vulnerability Rodrigo Rubira Branco (BSDaemon) (Feb 07)