Hardly surprising - there really cannot be any reliable way of knowing the
configuration of a remote host. The best any of these products can do is
assure you that the remote host claims to be configured in a certain way.
The implementation in SCV seems to be particularly simple minded, since the
questions are apparently posed in the form of "Are you in compliance with the
following rule?" Implementors of malware will obviously know that the correct
answer is "yes".
A proper host IDS (Tripwire, Prelude, etc.) doesn't tell the remote host what
it expects the answers to be - it asks things like "what is the SHA1sum of the
values of the following registry keys?" and compares the answers against its
own copies. To beat that, at least the malicious software would have to keep
track of the previous state of any files and settings it altered.
Of course, a host IDS is also quite top-heavy to operate. SCV is capable of
catching 'casual' malware, or accidental misconfigurations.
Regards
Mark
-----Original Message-----
From: Mailing list for discussion of Firewall-1 [mailto:FW-1-MAILINGLIST AT
AMADEUS.US.CHECKPOINT DOT COM] On Behalf Of Ray
Sent: December 15, 2005 18:22
To: FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM
Subject: [FW-1] Another SecureClient SCV bypass?
>From the Full Disclosure list - seems to be a popular topic nowadays. <sog>
Ray
------------------------------------------------------------
>From : Avner Peled <avnerus AT gmail DOT com>
Sent : Thursday, December 15, 2005 8:35 AM
To : full-disclosure AT lists.grok.org DOT uk
Subject : [Full-disclosure] Another Checkpoint SecureClient NGX SCV Bypass
Go to previous message | Go to next message | Delete |
Inbox

Hello all,
After reading the post on
http://lists.grok.org.uk/pipermail/full-disclosure/2005-December/039634.html
about disabling secure configuartion verification in Checkpoint's SecureClient
I thought I'd post my own findings.
My method of bypassing the check also requires Administrator privileges but
does not require anything running in the background.
Here are the steps I took to bypass the check.
1. Download the free OPSEC Desktop SDK from www.opsec.com 2. Prepare an scv dll
using the sample scv plugin in the sdk, have the plugin always return
SCV_CHECK_PASSED in Status() function.
3. Make a copy of that dll for each dll that is being used by the policy, each
time changing the #define PiName for the name of the check you want to bypass
(For example AntivirusMonitior, RegMonitor). Copy the new dll's (dll name could
be different) to Program Files\Checkpoint\SecureRemote\scv 4. Stop secureclient.
5. Use the tool provided in the sdk PiReg.exe to unregsiter (-d flag) the
monitor dll's in Program Files\Checkpoint\SecureRemote\scv 6. Use the same tool
to register all of the dll's with the same PiName.
7. Start secureclient.
"Configuration Verified"
---------------------
Avner Peled.
avnerus AT gmail DOT com
=================================================
To set vacation, Out-Of-Office, or away messages, send an email to LISTSERV AT
amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================
This email and any files transmitted with it are confidential and intended
solely for the use of the individual or entity to whom they are addressed. If
you have received this email in error please notify the system manager. This
message contains confidential information and is intended only for the
individual named. If you are not the named addressee you should not
disseminate, distribute or copy this e-mail.
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================
|
