SecurityReason.com - Our Reason is

Security

Register | Forget Password | Login
Search :
SecurityReason
IT News
Search
SecurityAlert Database
About SecurityAlert
ExploitAlert Database
SecurityReason Research
WLB
WLB Database
Send to WLB
About WLB
Services
Security Audit
Schedule
Prices of services
Contact
RSS
SecurityReason IT News
SecurityAlert
World Laboratory of Bugtraq
ExploitAlert
Apache
PHP
Corporate
Contact
About SecurityReason
Note

If you have found a vulnerability, please send to our SecurityAlert Database :
secalert()securityreason()com

Also if you have new ( 0-day ) exploit, please send to our ExploitAlert Archive :
exploit()securityreason()com
Home arrow SecurityAlert Database

Arrow  Topic :

Checkpoint SecuRemote/Secure Client NGX Auto Local Logon Vulnerability


Arrow  SecurityAlert : 3627
Arrow  CVE : CVE-2008-0662
Arrow  SecurityRisk : Low  Security Risk Low  (About)
Arrow  Remote Exploit : No
Arrow  Local Exploit : Yes
Arrow  Exploit Given : No
Arrow  Credit : Michael Neal Vasquez
Arrow  Published : 11.02.2008

Arrow  Affected Software : - Checkpoint, VPN-1 SecureClient, NGAI R56
− Checkpoint, VPN-1 SecureClient, NGX R60



Arrow  Advisory Text :  

http://www.digihax.com

Bulletin Release 02.06.08

Checkpoint SecuRemote/Secure Client NGX Auto Local Logon Vulnerability
(Or, How to Be Bill Gates, if Bill Gates uses a CheckPoint VPN Client)

Discovery Date:
December 13, 2007

Vendor Release Date:
February 6, 2008

Severity:
Impersonation of users. What's your VPN protecting?
Checkpoint says.... MEDIUM

Vendor:
Checkpoint

Systems Affected:
VPN-1 SecuRemote/SecureClienetNGX R60 for Windows VPN-1
SecuRemote/SecureClient NGAI R56 for Windows Earlier versions may be
affected as well

Overview:
Issues with credential storage in the registry allow anyone with read
access to the registry to utilize stored credentials to login and
impersonate the user who stored their credentials.

Technical Details:
Sorry, no sexxy buffer overflow! However, you too can be an
authenticated VPN user!
Checkpoint's VPN client has an option to store credentials. All users
have read access to the registry key where these are stored. A user
can export this registry key, install the software, and configure it
to cache credentials. Then, import the registry and connect. No
prompting, and you are now the alternate user. Bad hacker, bad!

Scenario:
A user has enabled the Auto Local Logon option in the client, and
stored their credentials. These credentials are kept in the registry,
under HKLMSoftwareCheckpointSecuRemote. Credentials are
specifically under the subkey named?. "Credentials"? sneaky!
Permissions for the Checkpoint key are set to Everyone ? Full Control.
This means anyone with a local logon to the machine, or any
administrator from a remote machine, if remote registry access is
enabled, can view and export this key. Next step: Install the client
on another machine, and reboot as required. Configure Auto Local
Logon, and create a site, but provide no credentials. Import the key.
You are now the other person. Probably not Bill Gates, but still,
messy.

Fix:
Disable the caching of credentials. Who's a fan of that anyway.
Alternately, see the vendor fix below.

Vendor Status:
Checkpoint has released a bulletin for this issue, at:
https://supportcenter.checkpoint.com/supportcenter/PublicLoginRedirect.j
sp?toURL=eventSubmit_doGoviewsolutiondetails=%26solutionid=sk34315
Good job, Check Point! Thanks for all the follow through, I'd work
with you guys again. Vendor timeline below.

Credit:
MN Vasquez

Greetings:
<3 4 God, nothing else matters. Props to #13 Kurt Warner, Ron
Wolfley & Johnny Long, who "get it". Miss u dad.
BOC 4 lyfe!, 'sup to Debuc, Mekt, and jhs87. Thanks to the fam, & mom
for everything.
Danielle - I love you!
Ang - I am so proud of you!

& hey. Can we get "Heroes" back on the air already? Kthx.

Vendor Timeline
12.13.2007: Vendor notified via support portal
12.13.2007: Vendor escalated to security team
12.14.2007: Vendor requested more detail, detail provided
12.19.2007: Vendor confirmed and scheduled initial fix by 1.23.2008
1.16.2008: Vendor requested delay til ~2.4.2008
2.4.2008: Vendor confirmed release date of 2.5.2008 @ 4:00pm PST
2.5.2008: Vendor released bulletin on website, no customer notification
2.6.2006: Vendor reports they notified customers at 4:00PM PST

Copyright (c) 2008 Mike Vasquez
You can redistribute electronically, but don't edit it in any way
without the express permission of Mike Vasquez. Any reprint of this
alert, in whole or in part in any non-electronic medium must have
permission, email mnv at alumni dot princeton dot edu.

Disclaimer
This alert may change without notice. Use of this info constitutes
acceptance for use AS IS. No warranties are implied or expressed. I'm
not liable for direct or indirect damages arising from the use or
distribution of this information. Use it at your own risk.





Arrow  Feedback :

If you have additional information or notice any errors regarding this security advisory, please use contact form or email us at info()securityreason()com.
Alert

Multiple Vendors libc/gdtoa printf(3) Array Overrun

Security Risk High- 2009-05-30

SecurityReason realised new advisory about vulnerabilities libc/gdtoa...
Apache RSS Apache Alert

» Apache Tomcat
   RequestDispatcher
   directory traversal
   vulnerability

» Apache mod_dav / svn
   Remote Denial of Service
   Exploit

» Apache Tomcat Information
   disclosure

» Apache Tomcat User
   enumeration vulnerability
   with FORM authentication
PHP RSS PHP Alert

» PHP 5.2.9 curl safe_mode
   & open_basedir bypass

» PHP 5.2.6 SAPI
   php_getuid() overload

» PHP
   ZipArchive::extractTo()
   Directory Traversal
   Vulnerability

» PHP 5.2.6 dba_replace()
   destroying file
Copyright © SecurityReason.com. All Rights Reserved.