lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-Id: <201206131609.q5DG9wJG014977@sf01web1.securityfocus.com>
Date: Wed, 13 Jun 2012 16:09:58 GMT
From: moshez@...secglobal.com
To: bugtraq@...urityfocus.com
Subject: Security Advisory - Checkpoint Endpoint Connect VPN - DLL Hijack

Security Advisory - Checkpoint Endpoint Connect VPN - DLL Hijack
================================================================================
Summary           : Checkpoint Endpoint Connect VPN is prone to DLL hijacking
Date              : 12 June 2012
Affected versions : Endpoint Security VPN R75
					Remote Access Clients E75.x
					Endpoint Security R73.x/E80.x (VPN blade)
ID                : sk76480
CVE reference     : CVE-2012-2753

Details
==========
A vulnerability in Checkpoint Endpoint Connect VPN causes the client to be
susceptible to an attack that result in arbitrary dynamic-library loading.

A user with local disk access can carefuly construct a DLL that suits a pattern
that is being traversed by the client and implement it somewhere along the
search path and the client will load it seamlessly.

Impact
==========
After the DLL has been implemented, an unsuspected user that will run the
program will cause it to load, resulting in arbitrary code execution with
user's privilege level.

Solution
==========
Apply the appropriate Hotfix released by Checkpoint (one line URL):
https://supportcenter.checkpoint.com/supportcenter/portal?
						eventSubmit_doGoviewsolutiondetails=&solutionid=sk76480

Credits
==========
The issue was responsibly reported by Moshe Zioni from Comsec Global Consulting.

Timeline
===========
11 June 2012
Checkpoint officialy announce a Hotfix for the issue
6 June 2012
Checkpoint reported on finishing a fix to the reported issue
16 May 2012
Further correspondance (Comsec-Checkpoint) took place, discussing a remidiation
15 May 2012
First response from Checkpoint Security Team
15 May 2012
Bug reported by Moshe Zioni from Comsec Global Consulting

References
===========
Checkpoint
http://www.checkpoint.com/
Comsec Global Consulting
http://www.comsecglobal.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ