Vulnerability Name:

CVE-2006-0255 (CCN-23094)

Assigned:2005-11-15
Published:2005-11-15
Updated:2018-10-19
Summary:Unquoted Windows search path vulnerability in Check Point VPN-1 SecureClient might allow local users to gain privileges via a malicious "program.exe" file in the C: folder, which is run when SecureClient attempts to launch the Sr_GUI.exe program.
CVSS v3 Severity:5.9 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)
Exploitability Metrics:Attack Vector (AV): Local
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): Low
Integrity (I): Low
Availibility (A): Low
CVSS v2 Severity:7.2 High (CVSS v2 Vector: AV:L/AC:L/Au:N/C:C/I:C/A:C)
5.9 Medium (Temporal CVSS v2 Vector: AV:L/AC:L/Au:N/C:C/I:C/A:C/E:F/RL:OF/RC:C)
Exploitability Metrics:Access Vector (AV): Local
Access Complexity (AC): Low
Authentication (Au): None
Impact Metrics:Confidentiality (C): Complete
Integrity (I): Complete
Availibility (A): Complete
4.6 Medium (CCN CVSS v2 Vector: AV:L/AC:L/Au:N/C:P/I:P/A:P)
3.8 Low (CCN Temporal CVSS v2 Vector: AV:L/AC:L/Au:N/C:P/I:P/A:P/E:F/RL:OF/RC:C)
Exploitability Metrics:Access Vector (AV): Local
Access Complexity (AC): Low
Athentication (Au): None
Impact Metrics:Confidentiality (C): Partial
Integrity (I): Partial
Availibility (A): Partial
Vulnerability Type:CWE-Other
Vulnerability Consequences:Gain Privileges
References:Source: CCN
Type: Full-Disclosure Mailing List, Mon May 09 2005 - 15:14:02 CDT
Useless tidbit

Source: CCN
Type: Full-Disclosure Mailing List, Tue Jan 17 2006 - 15:45:14 CST
[ TZO-012006 ] Checkpoint VPN-1 SecureClient insecure usage of CreateProcess()

Source: CCN
Type: Full-Disclosure Mailing List, Wed Aug 29 2007 - 17:27:07 CDT
Multiple improper file path handling issues

Source: MITRE
Type: CNA
CVE-2005-2935

Source: MITRE
Type: CNA
CVE-2005-2936

Source: MITRE
Type: CNA
CVE-2005-2938

Source: MITRE
Type: CNA
CVE-2005-2939

Source: MITRE
Type: CNA
CVE-2005-2940

Source: MITRE
Type: CNA
CVE-2005-3663

Source: MITRE
Type: CNA
CVE-2006-0255

Source: MITRE
Type: CNA
CVE-2019-4245

Source: MISC
Type: UNKNOWN
http://secdev.zoller.lu/research/checkpoint.txt

Source: CCN
Type: SA19358
RealNetworks Products Multiple Buffer Overflow Vulnerabilities

Source: CCN
Type: SECTRACK ID: 1015222
Apple iTunes for Windows Improper CreateProcess() Call Lets Local Users Execute Arbitrary Code

Source: CCN
Type: SECTRACK ID: 1015223
RealPlayer Improper CreateProcess() Call Lets Local Users Execute Arbitrary Code

Source: CCN
Type: SECTRACK ID: 1015224
Kaspersky Anti-Virus for Windows File Servers Improper CreateProcess() Call Lets Local Users Execute Arbitrary Code

Source: CCN
Type: SECTRACK ID: 1015225
VMware Workstation Improper CreateProcess() Call Lets Local Users Execute Arbitrary Code

Source: CCN
Type: SECTRACK ID: 1015226
Microsoft AntiSpyware Improper CreateProcess() Call Lets Local Users Execute Arbitrary Code

Source: CCN
Type: RealNetworks Customer Support - Real Security Updates March 16, 2006
RealNetworks Releases Product Updates.

Source: CCN
Type: Apple Web site
Apple - ITunes - Download iTunes

Source: CCN
Type: iDEFENSE Security Advisory 11.15.05
Multiple Vendor Insecure Call to CreateProcess() Vulnerability

Source: CCN
Type: OSVDB ID: 17088
Microsoft AntiSpyware gsasDtServ.exe Path Subversion Privilege Escalation

Source: CCN
Type: OSVDB ID: 20988
Apple iTunes iTunesHelper.exe Path Subversion Local Privilege Escalation

Source: CCN
Type: OSVDB ID: 21009
Kaspersky Anti-Virus Search Path Subversion Local Privilege Escalation

Source: CCN
Type: OSVDB ID: 21010
RealPlayer Path Subversion Local Privilege Escalation

Source: CCN
Type: OSVDB ID: 21011
VMware Workstation Search Path Subversion Local Privilege Escalation

Source: CCN
Type: OSVDB ID: 22703
Check Point VPN-1 SecureClient SR_Watchdog.exe Path Subversion Local Privilege Escalation

Source: BUGTRAQ
Type: UNKNOWN
20060117 [ TZO-012006 ] Checkpoint VPN-1 SecureClient insecure usage of CreateProcess()

Source: CCN
Type: BID-15446
Apple iTunes 6 For Windows Arbitrary Local Code Execution Vulnerability

Source: CCN
Type: BID-15448
Multiple Vendor lpCommandLine Application Path Vulnerability

Source: BID
Type: UNKNOWN
16290

Source: CCN
Type: BID-16290
Check Point VPN-1 SecureClient Path Specification Local Privilege Escalation Vulnerability

Source: VUPEN
Type: UNKNOWN
ADV-2006-0258

Source: XF
Type: UNKNOWN
multiple-vendor-insecure-createprocess(23094)

Source: EXPLOIT-DB
Type: EXPLOIT
Offensive Security Exploit Database [08-15-2012]

Source: CCN
Type: IBM Security Bulletin 880775 (Cognos TM1)
IBM Cognos TM1 is affected by multiple vulnerabilities (CVE-2018-15494, CVE-2019-4245)

Source: CCN
Type: IBM Security Bulletin 884724 (Planning Analytics)
Multiple vulnerabilities affect IBM Planning Analytics

Vulnerable Configuration:Configuration 1:
  • cpe:/a:checkpoint:vpn-1:*:*:fp1:*:*:*:*:*
  • OR cpe:/a:checkpoint:vpn-1:4.1:*:*:*:*:*:*:*
  • OR cpe:/a:checkpoint:vpn-1:4.1:sp1:*:*:*:*:*:*
  • OR cpe:/a:checkpoint:vpn-1:4.1:sp2:*:*:*:*:*:*
  • OR cpe:/a:checkpoint:vpn-1:4.1:sp3:*:*:*:*:*:*
  • OR cpe:/a:checkpoint:vpn-1:4.1:sp4:*:*:*:*:*:*
  • OR cpe:/a:checkpoint:vpn-1:4.1:sp5:*:*:*:*:*:*
  • OR cpe:/a:checkpoint:vpn-1:4.1:sp5a:*:*:*:*:*:*
  • OR cpe:/a:checkpoint:vpn-1:4.1:sp6:*:*:*:*:*:*

    • Configuration CCN 1:
  • cpe:/a:apple:itunes:4.7.1.30:*:*:*:*:*:*:*
  • OR cpe:/a:microsoft:antispyware:1.0.509:beta1:*:*:*:*:*:*
  • OR cpe:/a:checkpoint:vpn-1_secureclient:-:*:*:*:*:*:*:*
  • OR cpe:/a:norman:norman_virus_control:5.90:*:*:*:*:*:*:*
  • OR cpe:/a:agnitum:outpost_firewall:*:*:pro:*:*:*:*:*
  • OR cpe:/a:agnitum:outpost_security_suite:6.7.3.3063.452.0726:-:professional:*:*:*:*:*
  • OR cpe:/a:hauri:virobot_desktop:5.5:*:*:*:*:*:*:*
  • OR cpe:/a:vmware:workstation:5.0.0_build_13124:*:*:*:*:*:*:*
  • AND
  • cpe:/a:ibm:cognos_tm1:10.2.2:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:planning_analytics:2.0.3:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:planning_analytics:2.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:planning_analytics:2.0.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:planning_analytics:2.0.2:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:planning_analytics:2.0.4:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:planning_analytics:2.0.5:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:planning_analytics:2.0.6:*:*:*:*:*:*:*

    • * Denotes that component is vulnerable
    BACK
    checkpoint vpn-1 *
    checkpoint vpn-1 4.1
    checkpoint vpn-1 4.1 sp1
    checkpoint vpn-1 4.1 sp2
    checkpoint vpn-1 4.1 sp3
    checkpoint vpn-1 4.1 sp4
    checkpoint vpn-1 4.1 sp5
    checkpoint vpn-1 4.1 sp5a
    checkpoint vpn-1 4.1 sp6
    apple itunes 4.7.1.30
    microsoft antispyware 1.0.509 beta1
    checkpoint vpn-1 secureclient -
    norman norman virus control 5.90
    agnitum outpost firewall *
    agnitum outpost security suite 6.7.3.3063.452.0726 -
    hauri virobot desktop 5.5
    vmware workstation 5.0.0_build_13124
    ibm cognos tm1 10.2.2
    ibm planning analytics 2.0.3
    ibm planning analytics 2.0
    ibm planning analytics 2.0.1
    ibm planning analytics 2.0.2
    ibm planning analytics 2.0.4
    ibm planning analytics 2.0.5
    ibm planning analytics 2.0.6