Click "VPN Options" in Client GUI and then close this windows. If we pointed to "C:\Program Files (x86)\CheckPoint\Endpoint Connect\LogonISReg.dll" in step 2 then we can replace this DLL with custom one.ħ. Now your file has permissions changed and you have all access to it.Ħ. Restart system as service needs to be restarted to make an archive.ĥ. It can be done by using software as normal user.Ĥ. For ZoneAlarm it is 50Mb, for VPN it is 20Mb. Fill tvDebug.log log file above the limit.
Create hardlink (using CreateHardlink.exe) named tvDebug.zip which points to other file that we would like to have permissions to (this file must not be taken by other process when Check Point service tries to use it)ģ.
If tvDebug.zip file exists then delete itĢ. Taking all of this into account we can create an attack scenario:ġ.
Check point vpn windows 10 e80.83 archive#
The same permissions are set for this archive file so all authenticated users can access it. However it was noticed that when this log file reaches some limit (depending on software) then it is archived to the same location and name but with ZIP extension. However this file could not be used for exploitaion as it is always used/taken by Check Point service so for example this is why users cannot delete it in normal conditions (unless service crashes and/or is restarted).
Check point vpn windows 10 e80.83 full#
Over this log file all authenticated users have full control and it was found that Check Point service writes to it with SYSTEM privileges. It was found that Check Point software (Endpoint Security Client and ZoneAlarm) uses tvDebug.log file stored in "C:\Windows\Internet Logs\tvDebug.log" or in ProgramData, for example "C:\ProgramData\CheckPoint\ZoneAlarm\Logs\tvDebug.log". It is possible to change permissions of arbitrary file so that user have full control over it after exploitation which results in Local Privilege Escalation. # Version: Check Point Endpoint Security VPN <= E80.87 Build 986009514 Change Mirror Download # Exploit Title: CheckPoint Endpoint Security Client/ZoneAlarm 15.4.062.17802 - Privilege Escalation
0 kommentar(er)
