NCP VPN/PKI Client - various Bugs

2006.03.02
Risk: Medium
Local: Yes
Remote: Yes
CWE: CWE-Other


CVSS Base Score: 7.2/10
Impact Subscore: 10/10
Exploitability Subscore: 3.9/10
Exploit range: Local
Attack complexity: Low
Authentication: No required
Confidentiality impact: Complete
Integrity impact: Complete
Availability impact: Complete

Application: NCP VPN/PKI Client Site: http://www.ncp.de Version: 8.11, Build 146 and maybe lower OS: Windows Bugs: Local Privilige Escalation, DoS and other Product: ======== NCP's Secure Communications provides a comprehensive portfolio of products for implementing total solutions for high-security remote access. These software-based products comply fully with all current major technology standards for communication and encryption, as defined by the IETF (Internet Engineering Task Force) and ITU (International Telecommunication Union). Consequently all products can be smoothly integrated into any existing network and communication architectures. Your Internet infrastructure, which may already consist of third-party security and access components, can be further used without changes ? thus avoiding any unnecessary administrative costs. About: ====== I found a few Bugs/Problems in the NCP VPN/PKI Client. If you read this post you probably notice that this list of errors and bugs is just the result of some really short tests. I'm *really* sure that there are still some nice bugs. 1.: - Unnamed =============================== If you create a rule using the Client Firewall you're able to bind an application to this rule. Unfortunately no hash value (for instance) will be created for this application. So you can easily pick another application, put it into the directory, rename it and use it with this rule. VENDOR RESPONSE: NCP is aware about this problem. A later version of the client will come with a hash-function. 2.: - Buffer Overflow with Privilege Escalation (some sort of), DoS =================================================================== Some of the installed applications didn't like it to start with a large amount of arguments. example 1: In my current test-configuration I'm not able to go to or configure 'IPSec' in the menu 'configuration'. If I run 'ncpmon.exe' with >=261 characters I get a slightly different gui. And it's not only the gui which is different. Now I'm able to go to the 'IPSec' menu and configure the settings. example 2: Run 'ncprwsnt.exe' with enough arguments and your cpu utilization will raise 100%. VENDOR RESPONSE: NCP is currently checking this problem(s). 3: - DoS, remote ================ I picked the first DoS code I found, tried it and was surprised that this old piece of code is still working. Using the 'ZoneAlarm remote Denial Of Service exploit'[1] it's possible to raise the memory usage and the cpu utilization. Let it run for 1-2 minutes and you will notify the decreasing speed of your machine. And at least it's possible to make it impossible for you to continue working with the pc. VENDOR RESPONSE: NCP is currently checking this problem(s). 4: - Local Privilege Escalation =============================== One feature of the client is that you can execute a script called 'connect.bat' after you established a connection with your vpn-gateway. The script isn't executed by the client, but by the service 'ncprwsnt' which runs with the local system account. So add a little script in the program dir of the NCP VPN/PKI Client with a nice 'net user /add' and 'net localgroup /add' mix to escalate your privileges. VENDOR RESPONSE: This 'Feature' is known to NCP. A couple of customers are using exactly this functionality. A new relase of the NCP VPN/PKI Client, which will arrive in the next few weeks, will fix this 'problem'. History: ======== 2006-02-13: Found the Bugs 2006-02-15: Mailed the vendor 2006-02-16: The vendor replied Thanks to the really nice and cool support from ncp :) ports [1] http://cert.uni-stuttgart.de/archive/bugtraq/2003/09/msg00020.html -- SYS 64767


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2022, cxsecurity.com

 

Back to Top