0day.today - Biggest Exploit Database in the World.
Things you should know about 0day.today:
Administration of this site uses the official contacts. Beware of impostors!
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!
Please, beware of scammers!
Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
CheckPoint / Sofaware Firewall XSS / CSRF / Redirection / Disclosure
Multiple peristent XSS, XSS, XSRF, offsite redirection and information disclosure flaws within CheckPoint/Sofaware firewalls Vulnerability found: 3rd May 2011 Vendor informed: 20th July 2011 Vulnerability fixed: 16th October 2011/14 December 2011 Severity: High Description: CheckPoint/Sofaware firewalls are popular compact UTM (Unified Threat Management) devices, commonly found deployed in corporate satellite offices sometimes even within private households. ProCheckUp has discovered that multiple peristent XSS, XSS, XSRF, offsite redirection and information disclosure vulnerabilities exist within these firewalls. Which might allow the protective nature of the firewall to be subverted, placing internal users at risk from attack. Please see our paper titled "Checkpoint/SofaWare Firewall Vulnerability Research", for more better details. Tested on versions 7.5.48x, 8.1.46x and 8.2.2x. 1) The following demonstrate the reflective XSS flaws:- a) The Ufp.html page is vulnerable to XSS via the url parameter It works by submitting a malicious url parameter to the ufp.html page http://192.168.10.1/pub/ufp.html?url="><script>alert(1)</script>&mask=000&swpreview=1 This works with firmware versions 7.5.48x, 8.1.46x and 8.2.2x. b) The login page is also vulnerable to an XSS via the malicious session cookie It works by submitting a malicious session cookie to the login page Cookie: session="><script>alert(1)</script> c) An authenticated XSS exists within the diagnostics command http://192.168.10.1/diag_command.html?sw__ver=blah1&swdata=blah2&sw__custom='");alert(1);// (this might need to be submitted twice) Consequences: An attacker may be able to cause execution of malicious scripting code in the browser of a user who clicks on a link to Checkpoint firewall hosted page. Such code would run within the security context of the target domain. This type of attack can result in non-persistent defacement of the target site, or the redirection of confidential information (i.e.: session IDs) to unauthorised third parties. 2) The following demonstrate the persistent XSS flaws and XSRF flaws:- a) The blocked URL warning page is vulnerable to a persistent XSS attack placing any internal users at risk of attack when the page is displayed. First an attacker has to trick the administrator to follow a XSRF attack; the (swsessioncookie) session cookie for simplicity sake is shown though JavaScript document.cookie can be used to subvert this protection (see paper). http://192.168.10.1/UfpBlock.html?swcaller=UfpBlock.html&swsessioncookie=20KHYp5-oS7rKmS-a4rq4j&swsave=1&ufpblockhttps=0&ufpbreakframe=&backurl=WebRules.html&ufpblockterms=%22%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E Firewall users then visiting blocked sites will have the blocked page displayed and the attack carried out. http://192.168.10.1/pub/ufp.html?url=www.blockedUrl.com&mask=000&swpreview=1 b) The Wi-Fi hotspot landing page on Wi-Fi enabled firewalls is also vulnerable, with any user using the Wi-Fi access point being at risk. First an attacker has to trick the administrator to follow a XSRF attack, the (swsessioncookie) session cookie for simplicity sake is shown though JavaScript document.cookie can be used to subvert this protection (see paper). http://192.168.10.1/HotSpot.html?swcaller=HotSpot.html&swsessioncookie=20KHYp5-oS7rKmS-a4rq4j&swsave=1&hotspotnets=00000000000000000000000000000000000000&hotspotpass=1&hotspotmulti=1&hotspothttps=0&hotspotnet1=0&hotspotnet2=0&hotspotnet3=0&hotspotenf=0&hotspottitle=Welcome+to+My+HotSpot&hotspotterms=%22%3E%3Cscript%3Ealert%282%29%3C%2Fscript%3E&thotspotpass=on&thotspotmulti=on Firewall users then visiting the Wi-Fi landing page will then have the attack carried out. http://192.168.10.1/pub/hotspot.html?swpreview=1 Consequences: An attacker may be able to cause execution of malicious scripting code in the browser of a user who clicks on a link to Checkpoint firewall hosted page. Such code would run within the security context of the target domain. Using persistent XSS attacks the attacker does not have to trick his victims to visit his malicious page, as the malicious code is stored by and becomes part of the webpage. 3) The following demonstrate the (authenticated) offsite redirection flaws:- a) Enter the following URL to redirect http://192.168.10.1/12?swcaller=http://www.procheckup.com b) Enter the following URL and then press back button. http://192.168.10.1/UfpBlock.html?backurl=http://www.procheckup.com Consequences: Offsite redirection is typically used to perform phishing type attacks, by fooling an authenticated user to re-enter authentication details in an external site. 4) The following demonstrate the Information disclosure flaws (no authentication needed) It was found that the /pub/test.html program disclosed information, regarding the patch level used, licensing and the MAC addresses to unauthenticated users. a) On early firmware versions 5.0.82x, 6.0.72x & 7.0.27x 7.5.48x Just requesting http:// 192.168.10.1/pub/test.html is sufficient b) However this no longer worked on versions 8.1.46x & 8.2.26x however adding the URL parameter and a double quote bypassed this check https:// 192.168.10.1/pub/test.html?url=" Consequences: An attacker may be able to obtain additional information on the machines configuration, and use this information to carry out further attacks. Fix: Upgrade to firmware version 8.2.44 or higher, which solves these vulnerabilities https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk65460 # 0day.today [2024-12-25] #