[NT] Checkpoint VPN-1 SecureClient Insecure Usage of CreateProcess()
- From: SecuriTeam <support@xxxxxxxxxxxxxx>
- Date: 25 Jan 2006 11:06:20 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
Checkpoint VPN-1 SecureClient Insecure Usage of CreateProcess()
------------------------------------------------------------------------
SUMMARY
The Microsoft Windows API "includes the
<http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dllproc/base/createprocess.asp> CreateProcess() function as a means to create a new process and it's primary thread".
Improper use of Windows API command CreateProcess allows attackers to
execute arbitrary programs with elevated privileges.
DETAILS
During Startup, the SR_Watchdog.exe spawns the GUI process (SR_GUI.exe)
through the use of the CreateProcess() function. By doing so it omits to
set the 'lpApplicationName' variable and further omits to quote the path
in the variable "lpCommandLine".
This results in executing c:\program.bat|exe|com prior to Sr_GUI.exe and
allow automatic startup of a potentially rogue application. In particular
one could imagine a scenario where it is possible to escalate rights using
this (as they are inherited from SR_Watchdog.exe).
ADDITIONAL INFORMATION
The information has been provided by <mailto:Thierry@xxxxxxxxx> Thierry
Zoller.
The original article can be found at:
<http://secdev.zoller.lu/research/checkpoint.txt>
http://secdev.zoller.lu/research/checkpoint.txt
The advisory about CreateProcess() can be found at:
<http://www.securiteam.com/windowsntfocus/6X00S0AELA.html>
http://www.securiteam.com/windowsntfocus/6X00S0AELA.html
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@xxxxxxxxxxxxxx
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@xxxxxxxxxxxxxx
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Prev by Date: [EXPL] SquirrelMail Change Passwd Plugins Multiple Buffer Overflows (Exploit)
- Next by Date: [REVS] Cross Site Cooking
- Previous by thread: [EXPL] SquirrelMail Change Passwd Plugins Multiple Buffer Overflows (Exploit)
- Next by thread: [REVS] Cross Site Cooking
- Index(es):
Relevant Pages
- [NT] Multiple Vendor Insecure use of CreateProcess()
... The following security advisory is sent to the securiteam mailing list, and can be
found at the SecuriTeam web site: http://www.securiteam.com ... Improper use of Windows API
command CreateProcess allows attackers to ... until a module is encountered to execute.
... This creates a scenario whereby arbitrary code could be executed. ... (Securiteam) - [NT] ZipGenius Directory Traversal
... The following security advisory is sent to the securiteam mailing list, and
can be found at the SecuriTeam web site: http://www.securiteam.com ... ZipGenius does not
check before it unpacks a file, ... In no event shall we be liable for any damages whatsoever
including direct, indirect, incidental, consequential, loss of business profits or special damages. ...
(Securiteam) - [NT] AOL Nullsoft Winamp IT Module Heap Memory Corruption (IN_MOD.DLL)
... The following security advisory is sent to the securiteam mailing list, and
can be found at the SecuriTeam web site: http://www.securiteam.com ... run arbitrary code in context
of user running AOL Nullsoft Winamp. ... In no event shall we be liable for any damages
whatsoever including direct, indirect, incidental, consequential, loss of business profits or special
damages. ... (Securiteam) - [NT] Symantec AntiVirus Engine CAB Parsing Heap Overflow Vulnerability
... The following security advisory is sent to the securiteam mailing list, and
can be found at the SecuriTeam web site: http://www.securiteam.com ... Symantec AntiVirus Engine
CAB Parsing Heap Overflow Vulnerability ... In no event shall we be liable for any damages
whatsoever including direct, indirect, incidental, consequential, loss of business profits or special
damages. ... (Securiteam) - [UNIX] ChatZilla Remote Denial of Service Vulnerability (Long Buffer)
... The following security advisory is sent to the securiteam mailing list, and
can be found at the SecuriTeam web site: http://www.securiteam.com ... vulnerability in the ChatZilla
product allows IRC server to cause the ... In no event shall we be liable for any damages
whatsoever including direct, indirect, incidental, consequential, loss of business profits or special
damages. ... (Securiteam)
