ID

VAR-201110-0182

CVE

CVE-2011-1827

TITLE

Check Point of Vulnerability in arbitrary code execution in multiple products

DESCRIPTION

Multiple unspecified vulnerabilities in Check Point SSL Network Extender (SNX), SecureWorkSpace, and Endpoint Security On-Demand, as distributed by SecurePlatform, IPSO6, Connectra, and VSX, allow remote attackers to execute arbitrary code via vectors involving a (1) ActiveX control or (2) Java applet. SNX SecureWorkSpace and Endpoint Security On-Demand can be downloaded from Connectra or security gateways for on-demand remote connectivity. They can be configured for browsing using the Check Point Deployment Agent Java applet or ActiveX controls. This vulnerability does not affect the Check Point Security Gateway. Multiple Check Point SSL VPN on-demand applications are prone to a remote code-execution vulnerability. Successful exploits will allow the attacker to execute arbitrary code within the context of the currently logged-in user. Failed exploit attempts will likely result in a denial-of-service condition. ---------------------------------------------------------------------- The Secunia CSI 5.0 Beta - now available for testing Find out more, take a free test drive, and share your opinion with us: http://secunia.com/blog/242 ---------------------------------------------------------------------- TITLE: Check Point SSL VPN On-Demand Applications Unspecified Vulnerability SECUNIA ADVISORY ID: SA45575 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/45575/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=45575 RELEASE DATE: 2011-08-10 DISCUSS ADVISORY: http://secunia.com/advisories/45575/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/45575/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=45575 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: A vulnerability have been reported in Check Point SSL VPN On-Demand applications, which can be exploited by malicious people to compromise a user's system. The vulnerability is caused due to an unspecified error in the helper application (e.g. No further information is currently available. Please see the vendor's advisory for a list of affected versions. SOLUTION: Apply updates. Please see the vendor's advisory for details. PROVIDED AND/OR DISCOVERED BY: The vendor credits Johannes Greil, SEC Consult. ORIGINAL ADVISORY: https://supportcenter.checkpoint.com/supportcenter/portal?solutionid=sk62410 OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXPLOIT: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ---------------------------------------------------------------------- . By disabling spyware and enforcing baseline security requirements before it grants SSL VPN access, Connectra stops identity and password theft and prevents data loss." URL: http://www.checkpoint.com/products/connectra/ Vulnerability overview/description: ----------------------------------- The client-side endpoint security solution (SSL Network Extender (SNX), SecureWorkSpace and Endpoint Security On-Demand), e.g. Due to quality issues within the software, an attacker is able to access insecure methods from the "trustworthy" Java applet or ActiveX control and exploit those features to compromise all client systems that trust the correctly signed Java applet or ActiveX control (e.g. all users that need to use this software for accessing internal systems over company VPN). As SEC Consult does not provide free of charge quality assurance for software vendors above providing information in advisories, no further proof of concepts than this advisory / exploit have been created. This JAR-file is extracted to %TEMP%\SWS (Windows) or /tmp/SWS (Linux). It includes the executable CPSWS.exe and some other XML and DLL files (side note: it is no workaround to remove "sws.jar" on the company Check Point Connectra appliance as this file can also remotely be deployed or fetched). Calling the public method "CreatePackageURL" it is possible for an attacker to load the SWS feature/package. Afterwards "RunPackageAction" can be called to access the following actions of the "Secure Workspace" component: 1) runExeStart 2) runCmd 3) setXmlFile 4) dwnldFile 5) createCmdFile The proof of concept uses "dwnldFile" and "runCmd" to upload an arbitrary executable file and store it as "CPSWS.exe" within the temporary directory of the victim's client system. Then "runCmd" is being called to automatically run the new malicious "CPSWS.exe" and compromise the client system. So it's not just possible to execute commands on the clients but also to choose one's own arbitrary malicious payload. ==>> Summing up, an attacker is able to upload arbitrary executable files to remote clients and then immediately execute them without notice as a signed Java applet / ActiveX is being used (if "Always trust content from this publisher" has been checked - otherwise an unsuspicious Java digital signature verification popup will occur). Possible attack vectors are drive-by downloads just by visiting malicious websites but also through emails, any XSS on unsuspicious websites, etc. Proof of concept: ----------------- The exploit will not be published, but a video demonstrating this issue has been created. It can be found at the following URL: https://www.sec-consult.com/files/110810_checkpoint_exploit.mp4 Vulnerable / tested versions: ----------------------------- The Deployment agent component of the Check Point Connectra R66 appliance has been tested and successfully exploited. Furthermore, a newer R70 has also been tested and found vulnerable. Vulnerable signed Java applet certificate SHA1 fingerprint: F6:40:1D:7B:67:08:3C:0F:3D:2A:9F:BC:69:E2:AD:6C:A5:D6:F5:8D Vulnerable ActiveX control "SlimClient Class" Class ID: {B4CB50E4-0309-4906-86EA-10B6641C8392} Further information regarding affected Class ID and Oracle Java Blacklist SHA1-Hashes can be found within the advisory of Check Point. The following affected product/version information has been supplied by Check Point: - R65.70 - R70.40 - R71.30 - R75 - Connectra R66.1 - Connectra R66.1n - VSX R65.20 - VSX R67 Vendor contact timeline: ------------------------ 2011-03-31: Contacting Check Point security team (security-alert@checkpoint.com), received auto-reply email 2011-03-31: Vendor: Very fast response, issue is being investigated, Check Point will reply early next week 2011-04-03: Vendor: asking for further information, exploit setup 2011-04-04: Replying to vendor 2011-04-05: Vendor: confirmation of vulnerability, more information end of week 2011-04-08: Asking for status 2011-04-09: Vendor: Working on the fix and release plan 2011-04-11: Asking for CVE number @MITRE 2011-04-12: Sending more details to MITRE, asking Check Point for version numbers and affected products 2011-04-13 - 2011-04-22: Coordination with Check Point regarding release and fix 2011-04-21: Contacting local CERT (Austria, Germany) 2011-04-25: Check Point releases their advisory including patches 2011-04-26: Asking again for CVE number 2011-05-26: Asking about status for Microsoft killbit patch 2011-05-29: Vendor: Microsoft did postpone patch from June to August 2011-08-08: Asking about status for patch; Vendor: MS publication expected 2011-08-09: Microsoft publishes killbit patch 2011-08-10: Coordinated release of SEC Consult advisory Solution: --------- The following patches have been supplied by Check Point: - Hotfix for R65.70 - Hotfix for R70.40 - Hotfix for R71.30 - Hotfix for R75 - Hotfix for Connectra R66.1 - Hotfix for Connectra R66.1n - Hotfix for VSX R65.20 - Hotfix for VSX R67 For further information see the advisory of Check Point: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk62410 The following Microsoft Killbit Patch should be applied: http://www.microsoft.com/technet/security/advisory/2562937.mspx Workaround: ----------- You should really apply the patches and invalidate the vulnerable ActiveX control and Java applet. Detailed information and a howto including tools can be found within the advisory of Check Point. Advisory URLs: -------------- https://www.sec-consult.com/en/advisories.html https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk62410 http://www.microsoft.com/technet/security/advisory/2562937.mspx ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ SEC Consult Unternehmensberatung GmbH Office Vienna Mooslackengasse 17 A-1190 Vienna Austria Tel.: +43 / 1 / 890 30 43 - 0 Fax.: +43 / 1 / 890 30 43 - 25 Mail: research at sec-consult dot com www.sec-consult.com EOF J. Greil / @2011 _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/

IOT TAXONOMY

AFFECTED PRODUCTS

CVSS

PROBLEMTYPE DATA

THREAT TYPE

remote

TYPE

lack of information

CONFIGURATIONS

EXPLOIT AVAILABILITY

PATCH

EXTERNAL IDS

REFERENCES

CREDITS

Johannes Greil of SEC Consult Unternehmensberatung

SOURCES

LAST UPDATE DATE

2024-11-23T22:27:39.653000+00:00

SOURCES UPDATE DATE

SOURCES RELEASE DATE