Title: NCP-e Secure Entry VPN Client File Open DLL Planting RCE Author: sh4d0wman Date: 12/09/2018 CWE-427: Uncontrolled Search Path Element Impact: Code Execution Vendor: https://www.ncp-e.com/en/ Product: NCP Secure Entry Client for Windows Version: 10.13 Build: 38541 Tested on: Windows 7-x86, other versions likely vulnerable as well (W10 / x64 arch, not tested) -------------------- Description: -------------------- ncpmon.exe handles opening ".pcf" ".spd" ".wge" and ".wgx" file formats. During this process it attempts to load a non-existing DLL from CWD. An attacker can create and plant his own malicious DLL with a specific name in this location. This results in code-execution under "Current User" privileges. -------------------- PoC: -------------------- Create a malicious DLL with Metasploit or code and compile one from scratch. Name it either: ncpmon2.dll or ncpwifi.dll -------------------- Impact -------------------- (Remote) Code Execution, e.g. load from file-share / receive through e-mail or removable media User interaction is required: opening any of the targeted file formats. Ncpmon.exe has to be the default handler for these file-types. (true under default installation conditions) ------------------- Timeline ------------------- 18/04/2018: Initial contact with vendor 25/06/2018: Vendor responded to mitigation suggestions and gives an update on patch development. Vulnerability should be fixed in release 11.1 26/07/2018: The following message is sent to all customers: The versions of the following products – in the named version or older – will be discontinued with effect from January 1, 2019: NCP Secure Entry Windows Client 10.0x ------------------- Mitigation ------------------- Download the latest version 11.x https://www.ncp-e.com/en/service-resources/download-vpn-client/