-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Advisory: Check Point VPN-1 SecuRemote/SecureClient fw.sys Kernel Driver Memory Corruption Vulnerability Advisory ID: TKADV2007-005 Revision: 1.0 Release Date: 2007/11/18 Last Modified: 2007/11/18 Date Reported: 2007/10/07 Author: Tobias Klein (tk at trapkit.de) Affected Software: VPN-1 SecuRemote/SecureClient <= NGX R60 VPN-1 SecuRemote/SecureClient <= NG AI R56 VPN-1 SecureClient <= NG AI R56 for Mac OS X VPN-1 SecuRemote/SecureClient <= NG AI R55 Remotely Exploitable: No Locally Exploitable: Yes Vendor URL: http://www.checkpoint.com Vendor Status: Vendor has released an updated version Patch development time: 37 days ====================== Vulnerability details: ====================== The kernel driver fw.sys shipped with SecuRemote/SecureClient contains a vulnerability in the code that handles ioctl requests. Exploitation of this vulnerability can result in: 1) local denial of service attacks (system crash due to a kernel panic), or 2) local execution of arbitrary code at the kernel level (complete system compromise) The issue can be triggered by sending a specially crafted ioctl request. ====================== Technical description: ====================== The ioctl 0xfa040b20 of the fw.sys kernel driver accepts user supplied input. This user supplied input is copied into the EBP register without any further validation (see .text:0002197A in the disassembly below). .text:0002196E cmp esi, 0FA040B20h ; vulnerable IOCTL .text:00021974 jnz loc_23D09 .text:00021974 .text:0002197A mov ebp, [ebp+0] ; the user supplied value gets copied into EBP Later on the user supplied value gets called (see .text:000219A2 in the disassembly below). .text:0002197D call sub_59A00 .text:00021982 mov edi, eax .text:00021984 mov eax, dword_DBF18 .text:00021989 mov ebx, 10000010h .text:0002198E test eax, ebx .text:00021990 jz short loc_219A1 .text:00021992 push edi .text:00021993 push ebp .text:00021994 push offset aFwregisterCall .text:00021999 call sub_1C430 .text:0002199E add esp, 0Ch .text:000219A1 .text:000219A1 loc_219A1: .text:000219A1 push edi .text:000219A2 call ebp ; the user supplied value gets called This leads to full control of the kernel execution flow. ========= Solution: ========= Upgrade to SecuRemote/SecureClient NGX R60 HFA2 Security HotFix 1 for Windows or SecureClient R56 Security HotFix 1 for Mac OS X. http://www.checkpoint.com/downloads/index.html ======== History: ======== 2007/09/24 - Vendor notified the 1st time using security@us.checkpoint.com (mail delivery failure) 2007/09/24 - Vendor notified a 2nd time using info@checkpoint.com and support@ts.checkpoint.com (no response) 2007/09/27 - Vendor notified a 3rd time using info@checkpoint.com and support@ts.checkpoint.com 2007/09/28 - Vendor asks if I could submit a Service Request using the Check Point Usercenter 2007/09/29 - Vendor notified a 4th time through the Check Point Usercenter 2007/09/29 - Vendor response stating that my mail address does not contain any products and is not covered by either a software subscription or support contract and that I should contact my local Check Point Representative 2007/10/01 - Vendor notified a 5th time using info@checkpoint.de 2007/10/02 - Mail delivery failure response 2007/10/03 - Vendor notified a 6th time using info@checkpoint.de and an alternative sender address 2007/10/05 - Mail delivery failure response 2007/10/05 - Vendor notified a 7th time using press@us.checkpoint.com, info@checkpoint.com and sales@checkpoint.com 2007/10/05 - Response from the security response team of Check Point 2007/10/06 - Asking for a PGP key 2007/10/07 - Vendor reponse with PGP key. Detailed information sent to Check Point 2007/10/08 - Vendor confirms the vulnerability 2007/10/09 - Vendor information about the date a fix will be made available 2007/10/10 - Vendor information about the advisory content 2007/11/13 - Vendor released an updated version (hotfix) 2007/11/18 - Full technical details released to general public ======== Credits: ======== Vulnerability found and advisory written by Tobias Klein. =========== References: =========== [1] Check Point Solution ID #sk33824 https://secureknowledge.checkpoint.com/SecureKnowledge/ viewSolutionDocument.do?lid=sk33824 [2] http://www.checkpoint.com/downloads/downloads/srsc/ SecureClient_Security_Hotfix1_ReleaseNotes.pdf [3] http://www.trapkit.de/advisories/TKADV2007-005.txt ======== Changes: ======== Revision 0.1 - Initial draft release to the vendor Revision 1.0 - Public release =========== Disclaimer: =========== The information within this advisory may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are no warranties, implied or express, with regard to this information. In no event shall the author be liable for any direct or indirect damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user's own risk. ================== PGP Signature Key: ================== http://www.trapkit.de/advisories/tk-advisories-signature-key.asc Copyright 2007 Tobias Klein. All rights reserved. -----BEGIN PGP SIGNATURE----- Version: PGP 8.1 iQA/AwUBR0C0eJF8YHACG4RBEQL2qwCgiqmH/dtuKjUhXs4bXfaW1TsUqb4AoNqS H7uGCJ/DbfUQkt0cLOtrp47b =dXE9 -----END PGP SIGNATURE-----