Based on an email exchange last week, I'm attempting to write my first
plugin, so patience appreciated. :-)
Issue: http://www.securityfocus.com/bid/27675
I'm attempting to check the version of the VPN client, based on an
installed file, "SR_GUI.exe", properties indicates the version is
63.0.0.44
Default install: C:\Program Files\CheckPoint\SecuRemote\bin
Here is the registry key for the uninstall information:
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{057f6911-35fd-4c8d-883f-11b8814480c9}]
"AuthorizedCDFPrefix"=""
"Comments"=""
"Contact"=""
"DisplayVersion"="1.00.0000"
"HelpLink"=""
"HelpTelephone"=""
"InstallDate"="20071212"
"InstallLocation"="C:\\Program Files\\CheckPoint\\SecuRemote\\"
"ModifyPath"=hex(2):4d,00,73,00,69,00,45,00,78,00,65,00,63,00,2e,00,65,00,78,\
00,65,00,20,00,2f,00,58,00,7b,00,30,00,35,00,37,00,66,00,36,00,39,00,31,00,\
31,00,2d,00,33,00,35,00,66,00,64,00,2d,00,34,00,63,00,38,00,64,00,2d,00,38,\
00,38,00,33,00,66,00,2d,00,31,00,31,00,62,00,38,00,38,00,31,00,34,00,34,00,\
38,00,30,00,63,00,39,00,7d,00,00,00
"NoModify"=dword:00000001
"NoRepair"=dword:00000001
"Publisher"="Check Point"
"Readme"=""
"Size"=""
"UninstallString"=hex(2):4d,00,73,00,69,00,45,00,78,00,65,00,63,00,2e,00,65,00,\
78,00,65,00,20,00,2f,00,58,00,7b,00,30,00,35,00,37,00,66,00,36,00,39,00,31,\
00,31,00,2d,00,33,00,35,00,66,00,64,00,2d,00,34,00,63,00,38,00,64,00,2d,00,\
38,00,38,00,33,00,66,00,2d,00,31,00,31,00,62,00,38,00,38,00,31,00,34,00,34,\
00,38,00,30,00,63,00,39,00,7d,00,00,00
"URLInfoAbout"="http://www.checkpoint.com"
"URLUpdateInfo"=""
"VersionMajor"=dword:00000001
"VersionMinor"=dword:00000000
"WindowsInstaller"=dword:00000001
"Version"=dword:01000000
"Language"=dword:00000000
"DisplayName"="Check Point VPN-1 SecuRemote/SecureClient NGX R60 HFA2"
"EstimatedSize"=dword:000061a8
Here is the problem: I'm on a windows system. I run build, the custom
nasl shows up. I select it, scan : no vulnerabilities. I've modified an
existing NASL (mcafee_ebsadmin_auth_overflow.nasl) based on George's
suggestion. I commented my modifications below. I've changed the version
number (what i think is the version number it's checking) in the script,
to be above/below the actual one, to no effect. Questions:
1) Do I need to run build again after script changes?
2) the .exe is in a sub folder of the RegKey "InstallLocation" -- are
subfolders checked?
Anything else I'm missing?
# Author: Mike Vasquez mnv at alumni dot princeton dot edu
#
# (C) Tenable Network Security, Inc.
#
if (description)
{
script_id(99900);
script_version("$Revision: 1.0 $");
# I modified the next 4 lines with correct info, as well as the subsequent
description
script_cve_id("CVE-2008-0662");
script_bugtraq_id(27675);
script_name(english:"Checkpoint SecuRemote Secure Client Auto Local
Logon Vulnerability");
script_summary(english:"Checks file version of SR_GUI.exe");
desc = "
Synopsis :
Issues with credential storage in the registry allow anyone with
read access to the registry to utilize stored credentials to login
and impersonate the user who stored their credentials.
Description :
Checkpoint's SecuRemote and Secure Client VPN Clients allow
secure remote VPN access.
This version of the software has a feature called Auto Local Logon,
which stores credentials in the registry. The registry key is available
by default to everyone who logs onto the machine, as well as anyone
with remote registry access.
An attacker can export this registry key, and re-use it to log on
as the individual who stored their credentials.
See also :
http://www.digihax.com
https://supportcenter.checkpoint.com/supportcenter/PublicLoginRedirect.jsp?toURL=eventSubmit_doGoviewsolutiondetails=%26solutionid=sk34315
Solution :
Upgrade to VPN-1 SecuRemote/SecureClient NGX R60 HFA_02 Supplement 2
Risk factor :
Critical / CVSS Base Score : 7.2
(CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C)";
script_description(english:desc);
script_category(ACT_GATHER_INFO);
script_family(english:"Windows");
script_copyright(english:"This script is Copyright (C) 2008 Tenable
Network Security, Inc.");
script_dependencies("smb_hotfixes.nasl");
script_require_keys("SMB/Registry/Enumerated");
script_require_ports(139, 445);
exit(0);
}
include("smb_func.inc");
if (!get_kb_item("SMB/Registry/Enumerated")) exit(0);
# Figure out where the installer recorded information about it.
list =
get_kb_list("SMB/Registry/HKLM/SOFTWARE/Microsoft/Windows/CurrentVersion/Uninstall/*/DisplayName");
if (isnull(list)) exit(0);
key = NULL;
foreach name (keys(list))
{
prod = list[name];
# I modified this line to match what I found in my registry key for the
DisplayName
if (prod && "Check Point VPN-1 SecuRemote/SecureClient NGX R60 HFA2" ><
prod)
{
key = ereg_replace(pattern:"^SMB\/Registry\/HKLM\/(.+)\/DisplayName$",
replace:"\1", string:name);
key = str_replace(find:"/", replace:"\", string:key);
break;
}
}
if (isnull(key)) exit(0);
# Connect to the appropriate share.
if (!get_kb_item("SMB/Registry/Enumerated")) exit(0);
name = kb_smb_name();
port = kb_smb_transport();
if (!get_port_state(port)) exit(0);
login = kb_smb_login();
pass = kb_smb_password();
domain = kb_smb_domain();
soc = open_sock_tcp(port);
if (!soc) exit(0);
session_init(socket:soc, hostname:name);
rc = NetUseAdd(login:login, password:pass, domain:domain, share:"IPC$");
if (rc != 1)
{
NetUseDel();
exit(0);
}
# Connect to remote registry.
hklm = RegConnectRegistry(hkey:HKEY_LOCAL_MACHINE);
if (isnull(hklm))
{
NetUseDel();
exit(0);
}
# Find out where it was installed.
path = NULL;
key_h = RegOpenKey(handle:hklm, key:key, mode:MAXIMUM_ALLOWED);
if (!isnull(key_h))
{
item = RegQueryValue(handle:key_h, item:"InstallLocation");
if (!isnull(item)) path = item[1];
RegCloseKey(handle:key_h);
}
RegCloseKey(handle:hklm);
if (isnull(path))
{
NetUseDel();
exit(0);
}
# Determine the version of SR_GUI.exe.
share = ereg_replace(pattern:"^([A-Za-z]):.*", replace:"\1$",
string:path);
# I modified this line to reflect the correct .exe to check
exe = ereg_replace(pattern:"^[A-Za-z]:(.*)", replace:"\1\SR_GUI.exe",
string:path);
NetUseDel(close:FALSE);
rc = NetUseAdd(login:login, password:pass, domain:domain, share:share);
if (rc != 1)
{
NetUseDel();
exit(0);
}
fh = CreateFile(
file:exe,
desired_access:GENERIC_READ,
file_attributes:FILE_ATTRIBUTE_NORMAL,
share_mode:FILE_SHARE_READ,
create_disposition:OPEN_EXISTING
);
ver = NULL;
if (!isnull(fh))
{
ver = GetFileVersion(handle:fh);
CloseFile(handle:fh);
}
NetUseDel();
# Check the version number.
if (!isnull(ver))
{
# I tried multiple changes here -- both incremention a version below, and
above -- wasn't 100% which way to go.
fix = split("63.0.0.45", sep:'.', keep:FALSE);
for (i=0; i<max_index(fix); i++)
fix[i] = int(fix[i]);
for (i=0; i<max_index(ver); i++)
if ((ver[i] < fix[i]))
{
version = string(ver[0], ".", ver[1], ".", ver[2]);
report = string(
"Check Point VPN-1 SecuRemote/SecureClient ", version, " is
installed under :\n",
"\n",
" ", path, "\n"
);
security_hole(port:port, extra:report);
break;
}
else if (ver[i] > fix[i])
break;
}
# END OF NASL
plugin, so patience appreciated. :-)
Issue: http://www.securityfocus.com/bid/27675
I'm attempting to check the version of the VPN client, based on an
installed file, "SR_GUI.exe", properties indicates the version is
63.0.0.44
Default install: C:\Program Files\CheckPoint\SecuRemote\bin
Here is the registry key for the uninstall information:
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{057f6911-35fd-4c8d-883f-11b8814480c9}]
"AuthorizedCDFPrefix"=""
"Comments"=""
"Contact"=""
"DisplayVersion"="1.00.0000"
"HelpLink"=""
"HelpTelephone"=""
"InstallDate"="20071212"
"InstallLocation"="C:\\Program Files\\CheckPoint\\SecuRemote\\"
"ModifyPath"=hex(2):4d,00,73,00,69,00,45,00,78,00,65,00,63,00,2e,00,65,00,78,\
00,65,00,20,00,2f,00,58,00,7b,00,30,00,35,00,37,00,66,00,36,00,39,00,31,00,\
31,00,2d,00,33,00,35,00,66,00,64,00,2d,00,34,00,63,00,38,00,64,00,2d,00,38,\
00,38,00,33,00,66,00,2d,00,31,00,31,00,62,00,38,00,38,00,31,00,34,00,34,00,\
38,00,30,00,63,00,39,00,7d,00,00,00
"NoModify"=dword:00000001
"NoRepair"=dword:00000001
"Publisher"="Check Point"
"Readme"=""
"Size"=""
"UninstallString"=hex(2):4d,00,73,00,69,00,45,00,78,00,65,00,63,00,2e,00,65,00,\
78,00,65,00,20,00,2f,00,58,00,7b,00,30,00,35,00,37,00,66,00,36,00,39,00,31,\
00,31,00,2d,00,33,00,35,00,66,00,64,00,2d,00,34,00,63,00,38,00,64,00,2d,00,\
38,00,38,00,33,00,66,00,2d,00,31,00,31,00,62,00,38,00,38,00,31,00,34,00,34,\
00,38,00,30,00,63,00,39,00,7d,00,00,00
"URLInfoAbout"="http://www.checkpoint.com"
"URLUpdateInfo"=""
"VersionMajor"=dword:00000001
"VersionMinor"=dword:00000000
"WindowsInstaller"=dword:00000001
"Version"=dword:01000000
"Language"=dword:00000000
"DisplayName"="Check Point VPN-1 SecuRemote/SecureClient NGX R60 HFA2"
"EstimatedSize"=dword:000061a8
Here is the problem: I'm on a windows system. I run build, the custom
nasl shows up. I select it, scan : no vulnerabilities. I've modified an
existing NASL (mcafee_ebsadmin_auth_overflow.nasl) based on George's
suggestion. I commented my modifications below. I've changed the version
number (what i think is the version number it's checking) in the script,
to be above/below the actual one, to no effect. Questions:
1) Do I need to run build again after script changes?
2) the .exe is in a sub folder of the RegKey "InstallLocation" -- are
subfolders checked?
Anything else I'm missing?
# Author: Mike Vasquez mnv at alumni dot princeton dot edu
#
# (C) Tenable Network Security, Inc.
#
if (description)
{
script_id(99900);
script_version("$Revision: 1.0 $");
# I modified the next 4 lines with correct info, as well as the subsequent
description
script_cve_id("CVE-2008-0662");
script_bugtraq_id(27675);
script_name(english:"Checkpoint SecuRemote Secure Client Auto Local
Logon Vulnerability");
script_summary(english:"Checks file version of SR_GUI.exe");
desc = "
Synopsis :
Issues with credential storage in the registry allow anyone with
read access to the registry to utilize stored credentials to login
and impersonate the user who stored their credentials.
Description :
Checkpoint's SecuRemote and Secure Client VPN Clients allow
secure remote VPN access.
This version of the software has a feature called Auto Local Logon,
which stores credentials in the registry. The registry key is available
by default to everyone who logs onto the machine, as well as anyone
with remote registry access.
An attacker can export this registry key, and re-use it to log on
as the individual who stored their credentials.
See also :
http://www.digihax.com
https://supportcenter.checkpoint.com/supportcenter/PublicLoginRedirect.jsp?toURL=eventSubmit_doGoviewsolutiondetails=%26solutionid=sk34315
Solution :
Upgrade to VPN-1 SecuRemote/SecureClient NGX R60 HFA_02 Supplement 2
Risk factor :
Critical / CVSS Base Score : 7.2
(CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C)";
script_description(english:desc);
script_category(ACT_GATHER_INFO);
script_family(english:"Windows");
script_copyright(english:"This script is Copyright (C) 2008 Tenable
Network Security, Inc.");
script_dependencies("smb_hotfixes.nasl");
script_require_keys("SMB/Registry/Enumerated");
script_require_ports(139, 445);
exit(0);
}
include("smb_func.inc");
if (!get_kb_item("SMB/Registry/Enumerated")) exit(0);
# Figure out where the installer recorded information about it.
list =
get_kb_list("SMB/Registry/HKLM/SOFTWARE/Microsoft/Windows/CurrentVersion/Uninstall/*/DisplayName");
if (isnull(list)) exit(0);
key = NULL;
foreach name (keys(list))
{
prod = list[name];
# I modified this line to match what I found in my registry key for the
DisplayName
if (prod && "Check Point VPN-1 SecuRemote/SecureClient NGX R60 HFA2" ><
prod)
{
key = ereg_replace(pattern:"^SMB\/Registry\/HKLM\/(.+)\/DisplayName$",
replace:"\1", string:name);
key = str_replace(find:"/", replace:"\", string:key);
break;
}
}
if (isnull(key)) exit(0);
# Connect to the appropriate share.
if (!get_kb_item("SMB/Registry/Enumerated")) exit(0);
name = kb_smb_name();
port = kb_smb_transport();
if (!get_port_state(port)) exit(0);
login = kb_smb_login();
pass = kb_smb_password();
domain = kb_smb_domain();
soc = open_sock_tcp(port);
if (!soc) exit(0);
session_init(socket:soc, hostname:name);
rc = NetUseAdd(login:login, password:pass, domain:domain, share:"IPC$");
if (rc != 1)
{
NetUseDel();
exit(0);
}
# Connect to remote registry.
hklm = RegConnectRegistry(hkey:HKEY_LOCAL_MACHINE);
if (isnull(hklm))
{
NetUseDel();
exit(0);
}
# Find out where it was installed.
path = NULL;
key_h = RegOpenKey(handle:hklm, key:key, mode:MAXIMUM_ALLOWED);
if (!isnull(key_h))
{
item = RegQueryValue(handle:key_h, item:"InstallLocation");
if (!isnull(item)) path = item[1];
RegCloseKey(handle:key_h);
}
RegCloseKey(handle:hklm);
if (isnull(path))
{
NetUseDel();
exit(0);
}
# Determine the version of SR_GUI.exe.
share = ereg_replace(pattern:"^([A-Za-z]):.*", replace:"\1$",
string:path);
# I modified this line to reflect the correct .exe to check
exe = ereg_replace(pattern:"^[A-Za-z]:(.*)", replace:"\1\SR_GUI.exe",
string:path);
NetUseDel(close:FALSE);
rc = NetUseAdd(login:login, password:pass, domain:domain, share:share);
if (rc != 1)
{
NetUseDel();
exit(0);
}
fh = CreateFile(
file:exe,
desired_access:GENERIC_READ,
file_attributes:FILE_ATTRIBUTE_NORMAL,
share_mode:FILE_SHARE_READ,
create_disposition:OPEN_EXISTING
);
ver = NULL;
if (!isnull(fh))
{
ver = GetFileVersion(handle:fh);
CloseFile(handle:fh);
}
NetUseDel();
# Check the version number.
if (!isnull(ver))
{
# I tried multiple changes here -- both incremention a version below, and
above -- wasn't 100% which way to go.
fix = split("63.0.0.45", sep:'.', keep:FALSE);
for (i=0; i<max_index(fix); i++)
fix[i] = int(fix[i]);
for (i=0; i<max_index(ver); i++)
if ((ver[i] < fix[i]))
{
version = string(ver[0], ".", ver[1], ".", ver[2]);
report = string(
"Check Point VPN-1 SecuRemote/SecureClient ", version, " is
installed under :\n",
"\n",
" ", path, "\n"
);
security_hole(port:port, extra:report);
break;
}
else if (ver[i] > fix[i])
break;
}
# END OF NASL