Check Point Connectra R62 Login Script Injection Vulnerability
scip AG Vulnerability ID 4020 (09/04/2009)
http://www.scip.ch/?vuldb.4020 

I. INTRODUCTION

Check Point Connectra is a so-called SSL-VPN solution, which allows
users to access a remote system using a regular web browser.

More information is available on the official product web site at the
following URL[1]:

http://www.checkpoint.com/products/connectra/index.html 

II. DESCRIPTION

Stefan Friedli at scip AG (Switzerland) found an input validation error
within the current release, which enabled an attacker to perform various
web-based attacks.

The initial logon script at /Login/Login, that is being used for
unauthenticated users to log in, fails to perform proper input
validation on the data that is being submitted via HTTP POST. While
certain fields are escaped before being sent back to users browser, the
parameter "vpid_prefix" lacks any validation and is therefore vulnerable
to script injection.
Other parts of the application might be affected too.

This vulnerability has been tested on version R62, other versions might
be affected as well.

III. EXPLOITATION

Classic script injection techniques and unexpected input data within a
browser session can be used to exploit these vulnerabilities. The target
application does actually check for certain patterns and prevents an
attacker from using easy exploiting strings containing substrings like
"script", "javascript", "alert" or similar. However, we consider this to
be an imperfect mechanism that is unable to prevent an attack using a
more sophisticated payload. For a selection, you might want to check
RSnakes popular XSS Cheat Sheet[2], which contains several patterns not
being detected by the filter in place, allowing you execute any
arbitrary, externally hosted payload.

We exploited the vulnerability for a customer in order to proof the
possibility to capture usernames and passwords. One of the possibilities
mentioned above is, to embed a remote flash file and grant it the
permission to execute script code. 

Vulnerable Variable Value:

vpid_prefix = "> 
allowScriptAccess=always>loginType=Standard&userName=&vpid_prefix=">value=""> 
allowScriptAccess=always>
--- CUT END ---

IV. IMPACT

Because non-authenticated parts of the software are affected, this
vulnerability is serious for every secure environment. Non-authenticated
users might be able to exploit this flaw to gain elevated privileges in
the target environment (e.g. extracting sensitive cookie information or
login information) or to perform any other form of web-based attacks.
Due to the fact that the application will often be allowed to make use
of ActiveX, it can also be used as a springboard to inject other
payloads, for example MS09-037[3] or any other vulnerability disclosed
lately, that might be exploited using a web browser.

Because other parts of the application might be affected too - this
could include some second order vulnerabilities - a severe attack
scenario might be possible.

V. DETECTION

Detection of web based attacks requires a specialized web proxy and/or
intrusion detection system. Patterns for such a detection are available
and easy to implement. Usually the mathematical or logical symbols for
less-than (<) and greater-than (>) are required to propose a HTML tag.
In some cases single (') or double quotes (") are required to inject the
code in a given HTML statement. Some implementation of security systems
are looking for well-known attack tags as like