Home page logo

bugtraq logo Bugtraq mailing list archives

Checkpoint FW1 SecuRemote/SecureClient "re-authentication" (client side hacks of users.C)
From: Cedric Amand <mailing-lists () cedric net>
Date: Fri, 8 Mar 2002 08:32:02 +0100


Affected products :
        All versions of Checkpoint FW1 when used with SecuRemote/SecureClient
        (Namely 4.0, 4.1 at any SP level, and NG FP1) 

Description :
        Checkpoint Firewall-1 SecuRemote/SecureClient "authentication
        timeout" defined in FW1's security policy can be trivially
        bypassed at the client side. Probably more "tweaks" can be done.

Vendor Status :
        Contacted & acknowledged. Explains some ways to mitigate.
        Vendor answer attached to this advisory.

Description :
   When using Checkpoint FW1 together with Remote Users connected thru
   SecuRemote and SecureClient
   ( http://www.checkpoint.com/techsupport/downloads_sr.html ),
   firewall administrators have the possibility to make these remote 
   users re-authenticate after X minutes.

   This can be found in FW1's GUI inside :
           Global Properties -> Desktop Security -> Validation timeout

   This feature is described in the help file as :
           Validation timeout every...minutes
           If checked, users must re-authenticate after the specified time.

   However, this setting can be trivially bypassed by modifiyng 
   the *client side*, inside Securemote's "users.C" configuration file. 
   (Your receive this file when first authenticating. It doesn't change 
    until you "update" the site. Users.C also contains the encryption 
    domain, and a lot of other stuff to play with, see references.)

   Values to modify are "to_expire (true)" and/or "expire (60)"

   Replacing "true" by "false" will make your connection permanent,
   (no need to re-authentify whatever your Firewall admin wants)
           Changing the expire timeout (in minutes) to your 
           liking can be used as well.

   Nothing in the docs warns about this behaviour.
   I believe this behaviour exists since years, as we discovered
   this "feature" under FW1 4.0, it was still working with 4.1 (any
   service pack) and is still working with FW1-NG FP1.

   I believe there are plenty of others settings that can be played
   with inside users.C, modifying DNS, encryption domains & networks
   is know to work, tough it leads to nothing useful if your security
   policy is solid. I mostly consider my advisory as a "proof of
   concept" on client-side users.C hacks.

Severity :
        Low. But if you actually use this feature inside
        your company and think it's doing anything useful 
        about your security : you're wrong.

References & acknowledgements :
        . Discovered by Amaury de Ville & C├ędric Amand.
        . A previous analysis of "users.C" inside "pen-test"
        (according to google, the web page speaking about this)

Author :
        Cedric Amand - cedric () cedric net

Vendor Answer :

This email is in response to the issue you have raised with the
re-authentication handling in VPN-1 SecuRemote and SecureClient.

First off, thank you for sending this email to Check Point, we appreciate
the ability to respond to possible security concerns in a low key,
deliberative manner.

WRT the issue at hand: generally speaking, yes, the re-authentication
mechanism can be manipulated on the client side to reduce the need for
re-entering credentials, overriding the management station settings.  To
accomplish this several things must be in place:
1 - the user must be an authorized user (i.e., has a SR
username/authentication credentials)
2 - the user must be using "cacheable" credentials, such as: pre-shared
secret, OS password or FW-1 internal passwords
3 - the user must be able to edit the userc.C file
4 - the user must have some hostile intent or is very uneducated in security
practices (like posting their credentials on their keyboard) or their
machine has been compromised.

Several mechanisms exist to mitigate the above:
- As of NG, the userc.C file does not need to be writeable by
non-adminstrator privileged users.  For bounded OSes like NT, 2000, and XP
this solves the issue, unless the user has administrative privileges.
- Using a one time (S/Key) or periodic-based authentication credential
- The encrypt_db (available in 4.0, 4.1 and NG) feature allows FW-1
administrators to, in effect, hide the topology data within userc.C where
these settings are located.  The encrypt_db property is NOT overridable by
the client (i.e., even if they change the setting of obscure_db in userc.C
they must delete/re-create the site to get in clear).  Clearly, this is a
security-through-obscurity mechanism and is not perfect.
- As of 4.1, one can force topology data to be updated automatically and
frequently, forcing the user to modify these re-authentication settings in
the userc.C after each update (these are override-able, but can be obscured
as well).

In summary, although yes, in theory you can override the re-authentiction
timer, it does require someone with authorized credentials (or a compromised
machine with those credentials available).  And, there are ways to
manage/mitigate this.

We will also look at steps to add some mechanisms to enforce this, but
again, for platforms like WinCE, and 9X this is problematic due to the lack
of a privileged (super)user mechanism inherent in these OSes.

Thank you again for your communication on this matter.


  By Date           By Thread  

Current thread:
  • Checkpoint FW1 SecuRemote/SecureClient "re-authentication" (client side hacks of users.C) Cedric Amand (Mar 08)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]