Client-side remote file upload & command execution

SEC Consult Vulnerability Lab Security Advisory < 20110810-0 >

=======================================================================

title: Client-side remote file upload & command execution

product: Check Point SSL VPN On-Demand applications (signed Java

applet and ActiveX control)

* SSL Network Extender (SNX)

* SecureWorkSpace

* Endpoint Security On-Demand

supplied by Check Point Connectra or other security

gateways

vulnerable version: multiple products, see sections below

fixed version: multiple products, see sections below

CVE number: CVE-2011-1827

impact: critical

homepage: www.checkpoint.com

found: 2011-03-28

by: Johannes Greil / SEC Consult Vulnerability Lab

www.sec-consult.com

=======================================================================

 

Vendor/product description:

-----------------------------

"SSL Network Extender (SNX) is a browser plug-in that provides clientless

remote access, while delivering full network connectivity for any IP-based

application."

 

URL: www.checkpoint.com/products/ssl_network_ext/

 

"Comprehensive Endpoint Security

Scans for spyware to ensure that malicious processes, keystroke loggers, and

Trojan horses are not installed on remote endpoints, Connectra scans for these

and other spyware through remote users’ browsers. By disabling spyware and

enforcing baseline security requirements before it grants SSL VPN access,

Connectra stops identity and password theft and prevents data loss."

 

URL: www.checkpoint.com/products/connectra/

 

 

Vulnerability overview/description:

-----------------------------------

The client-side endpoint security solution (SSL Network Extender (SNX),

SecureWorkSpace and Endpoint Security On-Demand), e.g. supplied by a Check

Point Connectra or other Check Point security appliances on the portal page,

uses either a signed Java applet (called CShell or Deployment Agent) or

ActiveX control to perform local compliance scans on the client.

 

Due to quality issues within the software, an attacker is able to access

insecure methods from the "trustworthy" Java applet or ActiveX control and

exploit those features to compromise all client systems that trust the

correctly signed Java applet or ActiveX control (e.g. all users that need to

use this software for accessing internal systems over company VPN).

 

As SEC Consult does not provide free of charge quality assurance for software

vendors above providing information in advisories, no further proof of

concepts than this advisory / exploit have been created.

 

 

The Check Point Deployment agent Java applet or ActiveX control have a "Secure

Workspace" (SWS) feature which is provided per default in "sws.jar" (or

"sws.cab"). This JAR-file is extracted to %TEMP%\SWS (Windows) or /tmp/SWS

(Linux). It includes the executable CPSWS.exe and some other XML and DLL files

(side note: it is no workaround to remove "sws.jar" on the company Check Point

Connectra appliance as this file can also remotely be deployed or fetched).

 

Calling the public method "CreatePackageURL" it is possible for an attacker to

load the SWS feature/package. Afterwards "RunPackageAction" can be called to

access the following actions of the "Secure Workspace" component:

1) runExeStart

2) runCmd

3) setXmlFile

4) dwnldFile

5) createCmdFile

 

The proof of concept uses "dwnldFile" and "runCmd" to upload an arbitrary

executable file and store it as "CPSWS.exe" within the temporary directory of

the victim's client system. Then "runCmd" is being called to automatically run

the new malicious "CPSWS.exe" and compromise the client system.

 

So it's not just possible to execute commands on the clients but also to

choose one's own arbitrary malicious payload.

 

 

==>>

Summing up, an attacker is able to upload arbitrary executable files to remote

clients and then immediately execute them without notice as a signed Java

applet / ActiveX is being used (if "Always trust content from this publisher"

has been checked - otherwise an unsuspicious Java digital signature

verification popup will occur).

 

Possible attack vectors are drive-by downloads just by visiting malicious

websites but also through emails, any XSS on unsuspicous websites, etc.

 

 

Proof of concept:

-----------------

The exploit will not be published, but a video demonstrating this issue has

been created. It can be found at the following URL:

 

www.sec-consult.com/files/110810_checkpoint_exploit.mp4

 

 

Vulnerable / tested versions:

-----------------------------

The Deployment agent component of the Check Point Connectra R66 appliance has

been tested and successfully exploited. Furthermore, a newer R70 has also been

tested and found vulnerable.

 

Vulnerable signed Java applet certificate SHA1 fingerprint:

F6:40:1D:7B:67:08:3C:0F:3D:2A:9F:BC:69:E2:AD:6C:A5:D6:F5:8D

 

Vulnerable ActiveX control "SlimClient Class" Class ID:

{B4CB50E4-0309-4906-86EA-10B6641C8392}

 

Further information regarding affected Class ID and Oracle Java Blacklist SHA1-Hashes

can be found within the advisory of Check Point.

 

The following affected product/version information has been supplied by Check

Point:

- R65.70

- R70.40

- R71.30

- R75

- Connectra R66.1

- Connectra R66.1n

- VSX R65.20

- VSX R67

 

 

 

Vendor contact timeline:

------------------------

2011-03-31: Contacting Check Point security team

(security-alert@checkpoint.com), received auto-reply email

2011-03-31: Vendor: Very fast response, issue is being investigated, Check

Point will reply early next week

2011-04-03: Vendor: asking for further information, exploit setup

2011-04-04: Replying to vendor

2011-04-05: Vendor: confirmation of vulnerability, more information

end of week

2011-04-08: Asking for status

2011-04-09: Vendor: Working on the fix and release plan

2011-04-11: Asking for CVE number @MITRE

2011-04-12: Sending more details to MITRE, asking Check Point for version

numbers and affected products

2011-04-13 - 2011-04-22: Coordination with Check Point regarding release and

fix

2011-04-21: Contacting local CERT (Austria, Germany)

2011-04-25: Check Point releases their advisory including patches

2011-04-26: Asking again for CVE number

2011-05-26: Asking about status for Microsoft killbit patch

2011-05-29: Vendor: Microsoft did postpone patch from June to August

2011-08-08: Asking about status for patch; Vendor: MS publication expected

2011-08-09: Microsoft publishes killbit patch

2011-08-10: Coordinated release of SEC Consult advisory

 

 

 

Solution:

---------

The following patches have been supplied by Check Point:

- Hotfix for R65.70

- Hotfix for R70.40

- Hotfix for R71.30

- Hotfix for R75

- Hotfix for Connectra R66.1

- Hotfix for Connectra R66.1n

- Hotfix for VSX R65.20

- Hotfix for VSX R67

 

For further information see the advisory of Check Point:

supportcenter.checkpoint.com/supportcenter/portal

 

 

The following Microsoft Killbit Patch should be applied:

www.microsoft.com/technet/security/advisory/2562937.mspx

 

 

Workaround:

-----------

You should really apply the patches and invalidate the vulnerable ActiveX

control and Java applet.

 

Detailed information and a howto including tools can be found within the

advisory of Check Point.

 

 

Advisory URLs:

-------------

www.sec-consult.com/en/advisories.html

 

supportcenter.checkpoint.com/supportcenter/portal

 

www.microsoft.com/technet/security/advisory/2562937.mspx

 

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SEC Consult Unternehmensberatung GmbH

 

Office Vienna

Mooslackengasse 17

A-1190 Vienna

Austria

 

Tel.: +43 / 1 / 890 30 43 - 0

Fax.: +43 / 1 / 890 30 43 - 25

Mail: research at sec-consult dot com

www.sec-consult.com

 

EOF J. Greil / @2011