[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-disclosure] Checkpoint SecureClient NGX Security Policy can easily be disabled

To: full-disclosure@xxxxxxxxxxxxxxxxx
Subject: Re: [Full-disclosure] Checkpoint SecureClient NGX Security Policy can easily be disabled
From: Joachim Schipper <j.schipper@xxxxxxxxxx>
Date: Wed, 7 Dec 2005 15:42:33 +0100

On Wed, Dec 07, 2005 at 12:54:02PM +0100, Viktor Steinmann wrote:
> (...) Checkpoint SecureClient enforces a policy on the VPN Client,
> which you can define on the VPN Endpoint you log on to (the firewall).
> Furthermore SecureClient includes a personal firewall, which protects
> the VPN Client from the network around him. Every time the VPN Client
> opens the VPN tunnel, the policy is updated, so you can be sure, that
> your policy is the latest one. In the above situation, you would
> create a policy, which checks several parameters, to ensure the
> workstation is one of yours, e.g. check the windows serial number,
> check a specific process which must be running, you could even check
> the CPUID.
> 
> Checkpoints Datasheet
> (http://www.checkpoint.com/products/downloads/vpn-1_clients_datasheet.pdf)
> says:
> "VPN-1 SecureClient strengthens enterprise security by ensuring client
> machines cannot be configured to circumvent the enterprise security
> policy."
> 
> So far, so good.
> 
> Now we've found a way, to disable that security policy very easily (a
> 3 line batch is all it needs). This means, that people who have a
> login to your VPN site can use whatever hardware they like. No secuity
> policy is enforced, no personal firewall is running - but the VPN part
> works.
> 
> And now to the sugar part: The Procedure that makes it work:
> 
> Step a) Download SecureClient from the Checkpoint Website
> Step b) Install SecureClient
> Step c) Connect to the VPN Endpoint (which will download the policy)
> Step d) Copy the downloaded policy (local.scv) to a different name
> (e.g. x.scv)
> Step e) Shutdown SecureClient
> Step f) Create a Batch-File, that looks like this
> 
> :Loop
> copy x.scv local.scv
> goto Loop
> 
> Step g) Edit x.scv to suit your needs (so you fulfill the policy)
> Step h) Run your batch
> Step i) Start SecureClient
> Step j) Connect to the VPN Endpoint and be surprised, that this stupid
> trick works...

Actually, be not very surprised at all. It's a little surprising that it
is *this* easy to bypass it, but hardly surprising that this flawed
concept doesn't work.

                Joachim
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

References:
- [Full-disclosure] Checkpoint SecureClient NGX Security Policy can easily be disabled
  - From: Viktor Steinmann

Prev by Date: [Full-disclosure] Appfluent Batabase IDS Local Root
Next by Date: Re[2]: [Full-disclosure] Oh noes, the 0x90 NOP crew have been NOP'd!
Previous by thread: [Full-disclosure] Checkpoint SecureClient NGX Security Policy can easily be disabled
Next by thread: RE: [Full-disclosure] Checkpoint SecureClient NGX Security Policy caneasily be d
Index(es):
- Date
- Thread