Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Checkpoint SecureClient NGX Security Policy can easily be disabled

From: Joachim Schipper <j.schipper () math uu nl>
Date: Wed, 7 Dec 2005 15:42:33 +0100
On Wed, Dec 07, 2005 at 12:54:02PM +0100, Viktor Steinmann wrote:

(...) Checkpoint SecureClient enforces a policy on the VPN Client,
which you can define on the VPN Endpoint you log on to (the firewall).
Furthermore SecureClient includes a personal firewall, which protects
the VPN Client from the network around him. Every time the VPN Client
opens the VPN tunnel, the policy is updated, so you can be sure, that
your policy is the latest one. In the above situation, you would
create a policy, which checks several parameters, to ensure the
workstation is one of yours, e.g. check the windows serial number,
check a specific process which must be running, you could even check
the CPUID.

Checkpoints Datasheet
(http://www.checkpoint.com/products/downloads/vpn-1_clients_datasheet.pdf)
says:
"VPN-1 SecureClient strengthens enterprise security by ensuring client
machines cannot be configured to circumvent the enterprise security
policy."

So far, so good.

Now we've found a way, to disable that security policy very easily (a
3 line batch is all it needs). This means, that people who have a
login to your VPN site can use whatever hardware they like. No secuity
policy is enforced, no personal firewall is running - but the VPN part
works.

And now to the sugar part: The Procedure that makes it work:

Step a) Download SecureClient from the Checkpoint Website
Step b) Install SecureClient
Step c) Connect to the VPN Endpoint (which will download the policy)
Step d) Copy the downloaded policy (local.scv) to a different name
(e.g. x.scv)
Step e) Shutdown SecureClient
Step f) Create a Batch-File, that looks like this

:Loop
copy x.scv local.scv
goto Loop

Step g) Edit x.scv to suit your needs (so you fulfill the policy)
Step h) Run your batch
Step i) Start SecureClient
Step j) Connect to the VPN Endpoint and be surprised, that this stupid
trick works...


Actually, be not very surprised at all. It's a little surprising that it
is *this* easy to bypass it, but hardly surprising that this flawed
concept doesn't work.

                Joachim
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Previous By Date Next
Previous By Thread Next

Current thread: