Title: NCP-e Secure Entry VPN Client File Open DLL Planting RCE
Author: sh4d0wman
Date: 12/09/2018
CWE-427: Uncontrolled Search Path Element
Impact: Code Execution
Vendor: https://www.ncp-e.com/en/
Product: NCP Secure Entry Client for Windows
Version: 10.13 Build: 38541
Tested on: Windows 7-x86, other versions likely vulnerable as well (W10 / x64 arch, not tested)
--------------------
Description:
--------------------
ncpmon.exe handles opening ".pcf" ".spd" ".wge" and ".wgx" file formats.
During this process it attempts to load a non-existing DLL from CWD.
An attacker can create and plant his own malicious DLL with a specific name in this location.
This results in code-execution under "Current User" privileges.
--------------------
PoC:
--------------------
Create a malicious DLL with Metasploit or code and compile one from scratch.
Name it either: ncpmon2.dll or ncpwifi.dll
--------------------
Impact
--------------------
(Remote) Code Execution, e.g. load from file-share / receive through e-mail or removable media
User interaction is required: opening any of the targeted file formats.
Ncpmon.exe has to be the default handler for these file-types. (true under default installation conditions)
-------------------
Timeline
-------------------
18/04/2018: Initial contact with vendor
25/06/2018: Vendor responded to mitigation suggestions and gives an update on patch development.
Vulnerability should be fixed in release 11.1
26/07/2018: The following message is sent to all customers:
The versions of the following products – in the named version or older – will be discontinued with effect from January 1, 2019:
NCP Secure Entry Windows Client 10.0x
-------------------
Mitigation
-------------------
Download the latest version 11.x
https://www.ncp-e.com/en/service-resources/download-vpn-client/