Lucene search

K
securityvulnsSecurityvulnsSECURITYVULNS:DOC:28159
HistoryJun 17, 2012 - 12:00 a.m.

Security Advisory - Checkpoint Endpoint Connect VPN - DLL Hijack

2012-06-1700:00:00
vulners.com
35

Security Advisory - Checkpoint Endpoint Connect VPN - DLL Hijack

Summary : Checkpoint Endpoint Connect VPN is prone to DLL hijacking
Date : 12 June 2012
Affected versions : Endpoint Security VPN R75
Remote Access Clients E75.x
Endpoint Security R73.x/E80.x (VPN blade)
ID : sk76480
CVE reference : CVE-2012-2753

Details

A vulnerability in Checkpoint Endpoint Connect VPN causes the client to be
susceptible to an attack that result in arbitrary dynamic-library loading.

A user with local disk access can carefuly construct a DLL that suits a pattern
that is being traversed by the client and implement it somewhere along the
search path and the client will load it seamlessly.

Impact

After the DLL has been implemented, an unsuspected user that will run the
program will cause it to load, resulting in arbitrary code execution with
user's privilege level.

Solution

Apply the appropriate Hotfix released by Checkpoint (one line URL):
https://supportcenter.checkpoint.com/supportcenter/portal?
eventSubmit_doGoviewsolutiondetails=&solutionid=sk76480

Credits

The issue was responsibly reported by Moshe Zioni from Comsec Global Consulting.

Timeline

11 June 2012
Checkpoint officialy announce a Hotfix for the issue
6 June 2012
Checkpoint reported on finishing a fix to the reported issue
16 May 2012
Further correspondance (Comsec-Checkpoint) took place, discussing a remidiation
15 May 2012
First response from Checkpoint Security Team
15 May 2012
Bug reported by Moshe Zioni from Comsec Global Consulting

References

Checkpoint
http://www.checkpoint.com/
Comsec Global Consulting
http://www.comsecglobal.com/

Related for SECURITYVULNS:DOC:28159