what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Check Point SSL VPN Command Execution

Check Point SSL VPN Command Execution
Posted Aug 11, 2011
Authored by Johannes Greil | Site sec-consult.com

Check Point SSL VPN On-Demand applications suffer from remote file upload and command execution vulnerabilities.

tags | advisory, remote, vulnerability, file upload
advisories | CVE-2011-1827
SHA-256 | 16fc1a812d8e49f019aec198ac5b1f6339e0854addc6171fa54586f34e1a1259

Check Point SSL VPN Command Execution

Change Mirror Download
SEC Consult Vulnerability Lab Security Advisory < 20110810-0 >
=======================================================================
title: Client-side remote file upload & command execution
product: Check Point SSL VPN On-Demand applications (signed
Java applet and ActiveX control)
* SSL Network Extender (SNX)
* SecureWorkSpace
* Endpoint Security On-Demand
supplied by Check Point Connectra or other security
gateways
vulnerable version: multiple products, see sections below
fixed version: multiple products, see sections below
CVE number: CVE-2011-1827
impact: critical
homepage: http://www.checkpoint.com
found: 2011-03-28
by: Johannes Greil / SEC Consult Vulnerability Lab
https://www.sec-consult.com
=======================================================================

Vendor/product description:
---------------------------
"SSL Network Extender (SNX) is a browser plug-in that provides
clientless remote access, while delivering full network connectivity
for any IP-based application."

URL: http://www.checkpoint.com/products/ssl_network_ext/

"Comprehensive Endpoint Security
Scans for spyware to ensure that malicious processes, keystroke
loggers, and Trojan horses are not installed on remote endpoints,
Connectra scans for these and other spyware through remote users’
browsers. By disabling spyware and enforcing baseline security
requirements before it grants SSL VPN access, Connectra stops identity
and password theft and prevents data loss."

URL: http://www.checkpoint.com/products/connectra/


Vulnerability overview/description:
-----------------------------------
The client-side endpoint security solution (SSL Network Extender (SNX),
SecureWorkSpace and Endpoint Security On-Demand), e.g. supplied by a
Check Point Connectra or other Check Point security appliances on the
portal page, uses either a signed Java applet (called CShell or
Deployment Agent) or ActiveX control to perform local compliance scans
on the client.

Due to quality issues within the software, an attacker is able to access
insecure methods from the "trustworthy" Java applet or ActiveX control
and exploit those features to compromise all client systems that trust
the correctly signed Java applet or ActiveX control (e.g. all users
that need to use this software for accessing internal systems over
company VPN).

As SEC Consult does not provide free of charge quality assurance for
software vendors above providing information in advisories, no further
proof of concepts than this advisory / exploit have been created.


The Check Point Deployment agent Java applet or ActiveX control have a
"Secure Workspace" (SWS) feature which is provided per default in
"sws.jar" (or "sws.cab"). This JAR-file is extracted to %TEMP%\SWS
(Windows) or /tmp/SWS (Linux). It includes the executable CPSWS.exe and
some other XML and DLL files (side note: it is no workaround to remove
"sws.jar" on the company Check Point Connectra appliance as this file
can also remotely be deployed or fetched).

Calling the public method "CreatePackageURL" it is possible for an
attacker to load the SWS feature/package. Afterwards "RunPackageAction"
can be called to access the following actions of the "Secure Workspace"
component:
1) runExeStart
2) runCmd
3) setXmlFile
4) dwnldFile
5) createCmdFile

The proof of concept uses "dwnldFile" and "runCmd" to upload an
arbitrary executable file and store it as "CPSWS.exe" within the
temporary directory of the victim's client system. Then "runCmd" is
being called to automatically run the new malicious "CPSWS.exe" and
compromise the client system.

So it's not just possible to execute commands on the clients but also to
choose one's own arbitrary malicious payload.


==>>
Summing up, an attacker is able to upload arbitrary executable files to
remote clients and then immediately execute them without notice as a
signed Java applet / ActiveX is being used (if "Always trust content
from this publisher" has been checked - otherwise an unsuspicious Java
digital signature verification popup will occur).

Possible attack vectors are drive-by downloads just by visiting
malicious websites but also through emails, any XSS on unsuspicious
websites, etc.


Proof of concept:
-----------------
The exploit will not be published, but a video demonstrating this issue
has been created. It can be found at the following URL:

https://www.sec-consult.com/files/110810_checkpoint_exploit.mp4


Vulnerable / tested versions:
-----------------------------
The Deployment agent component of the Check Point Connectra R66
appliance has been tested and successfully exploited. Furthermore, a
newer R70 has also been tested and found vulnerable.

Vulnerable signed Java applet certificate SHA1 fingerprint:
F6:40:1D:7B:67:08:3C:0F:3D:2A:9F:BC:69:E2:AD:6C:A5:D6:F5:8D

Vulnerable ActiveX control "SlimClient Class" Class ID:
{B4CB50E4-0309-4906-86EA-10B6641C8392}

Further information regarding affected Class ID and Oracle Java
Blacklist SHA1-Hashes can be found within the advisory of Check Point.

The following affected product/version information has been supplied by
Check Point:
- R65.70
- R70.40
- R71.30
- R75
- Connectra R66.1
- Connectra R66.1n
- VSX R65.20
- VSX R67



Vendor contact timeline:
------------------------
2011-03-31: Contacting Check Point security team
(security-alert@checkpoint.com), received auto-reply email
2011-03-31: Vendor: Very fast response, issue is being investigated,
Check Point will reply early next week
2011-04-03: Vendor: asking for further information, exploit setup
2011-04-04: Replying to vendor
2011-04-05: Vendor: confirmation of vulnerability, more information
end of week
2011-04-08: Asking for status
2011-04-09: Vendor: Working on the fix and release plan
2011-04-11: Asking for CVE number @MITRE
2011-04-12: Sending more details to MITRE, asking Check Point for
version numbers and affected products
2011-04-13 - 2011-04-22: Coordination with Check Point regarding
release and fix
2011-04-21: Contacting local CERT (Austria, Germany)
2011-04-25: Check Point releases their advisory including patches
2011-04-26: Asking again for CVE number
2011-05-26: Asking about status for Microsoft killbit patch
2011-05-29: Vendor: Microsoft did postpone patch from June to August
2011-08-08: Asking about status for patch; Vendor: MS publication
expected
2011-08-09: Microsoft publishes killbit patch
2011-08-10: Coordinated release of SEC Consult advisory



Solution:
---------
The following patches have been supplied by Check Point:
- Hotfix for R65.70
- Hotfix for R70.40
- Hotfix for R71.30
- Hotfix for R75
- Hotfix for Connectra R66.1
- Hotfix for Connectra R66.1n
- Hotfix for VSX R65.20
- Hotfix for VSX R67

For further information see the advisory of Check Point:
https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk62410


The following Microsoft Killbit Patch should be applied:
http://www.microsoft.com/technet/security/advisory/2562937.mspx


Workaround:
-----------
You should really apply the patches and invalidate the vulnerable
ActiveX control and Java applet.

Detailed information and a howto including tools can be found within the
advisory of Check Point.


Advisory URLs:
--------------
https://www.sec-consult.com/en/advisories.html

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk62410

http://www.microsoft.com/technet/security/advisory/2562937.mspx


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
SEC Consult Unternehmensberatung GmbH

Office Vienna
Mooslackengasse 17
A-1190 Vienna
Austria

Tel.: +43 / 1 / 890 30 43 - 0
Fax.: +43 / 1 / 890 30 43 - 25
Mail: research at sec-consult dot com
www.sec-consult.com

EOF J. Greil / @2011

Login or Register to add favorites

File Archive:

February 2023

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Feb 1st
    11 Files
  • 2
    Feb 2nd
    9 Files
  • 3
    Feb 3rd
    5 Files
  • 4
    Feb 4th
    0 Files
  • 5
    Feb 5th
    0 Files
  • 6
    Feb 6th
    9 Files
  • 7
    Feb 7th
    32 Files
  • 8
    Feb 8th
    0 Files
  • 9
    Feb 9th
    0 Files
  • 10
    Feb 10th
    0 Files
  • 11
    Feb 11th
    0 Files
  • 12
    Feb 12th
    0 Files
  • 13
    Feb 13th
    0 Files
  • 14
    Feb 14th
    0 Files
  • 15
    Feb 15th
    0 Files
  • 16
    Feb 16th
    0 Files
  • 17
    Feb 17th
    0 Files
  • 18
    Feb 18th
    0 Files
  • 19
    Feb 19th
    0 Files
  • 20
    Feb 20th
    0 Files
  • 21
    Feb 21st
    0 Files
  • 22
    Feb 22nd
    0 Files
  • 23
    Feb 23rd
    0 Files
  • 24
    Feb 24th
    0 Files
  • 25
    Feb 25th
    0 Files
  • 26
    Feb 26th
    0 Files
  • 27
    Feb 27th
    0 Files
  • 28
    Feb 28th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Hosting By
Rokasec
close