Summary : Checkpoint Endpoint Connect VPN is prone to DLL hijacking
Date : 12 June 2012
Affected versions : Endpoint Security VPN R75
Remote Access Clients E75.x
Endpoint Security R73.x/E80.x (VPN blade)
ID : sk76480
CVE reference : CVE-2012-2753
A vulnerability in Checkpoint Endpoint Connect VPN causes the client to be
susceptible to an attack that result in arbitrary dynamic-library loading.
A user with local disk access can carefuly construct a DLL that suits a pattern
that is being traversed by the client and implement it somewhere along the
search path and the client will load it seamlessly.
After the DLL has been implemented, an unsuspected user that will run the
program will cause it to load, resulting in arbitrary code execution with
user's privilege level.
Apply the appropriate Hotfix released by Checkpoint (one line URL):
https://supportcenter.checkpoint.com/supportcenter/portal?
eventSubmit_doGoviewsolutiondetails=&solutionid=sk76480
The issue was responsibly reported by Moshe Zioni from Comsec Global Consulting.
11 June 2012
Checkpoint officialy announce a Hotfix for the issue
6 June 2012
Checkpoint reported on finishing a fix to the reported issue
16 May 2012
Further correspondance (Comsec-Checkpoint) took place, discussing a remidiation
15 May 2012
First response from Checkpoint Security Team
15 May 2012
Bug reported by Moshe Zioni from Comsec Global Consulting
Checkpoint
http://www.checkpoint.com/
Comsec Global Consulting
http://www.comsecglobal.com/