Security Advisory - Checkpoint Endpoint Connect VPN - DLL Hijack
================================================================================
Summary           : Checkpoint Endpoint Connect VPN is prone to DLL hijacking
Date              : 12 June 2012
Affected versions : Endpoint Security VPN R75
          Remote Access Clients E75.x
          Endpoint Security R73.x/E80.x (VPN blade)
ID                : sk76480
CVE reference     : CVE-2012-2753

Details
==========
A vulnerability in Checkpoint Endpoint Connect VPN causes the client to be
susceptible to an attack that result in arbitrary dynamic-library loading.

A user with local disk access can carefuly construct a DLL that suits a pattern
that is being traversed by the client and implement it somewhere along the
search path and the client will load it seamlessly.

Impact
==========
After the DLL has been implemented, an unsuspected user that will run the
program will cause it to load, resulting in arbitrary code execution with
user's privilege level.

Solution
==========
Apply the appropriate Hotfix released by Checkpoint (one line URL):
https://supportcenter.checkpoint.com/supportcenter/portal?
            eventSubmit_doGoviewsolutiondetails=&solutionid=sk76480

Credits
==========
The issue was responsibly reported by Moshe Zioni from Comsec Global Consulting.

Timeline
===========
11 June 2012
Checkpoint officialy announce a Hotfix for the issue
6 June 2012
Checkpoint reported on finishing a fix to the reported issue
16 May 2012
Further correspondance (Comsec-Checkpoint) took place, discussing a remidiation
15 May 2012
First response from Checkpoint Security Team
15 May 2012
Bug reported by Moshe Zioni from Comsec Global Consulting

References
===========
Checkpoint
http://www.checkpoint.com/
Comsec Global Consulting
http://www.comsecglobal.com/