Windows - NCP-e Secure Entry VPN Client - File Open DLL Planting RCE

th sh4d0wman (TH) th
Risk: High
Local: Yes
Remote: No

Title: NCP-e Secure Entry VPN Client File Open DLL Planting RCE Author: sh4d0wman Date: 12/09/2018 CWE-427: Uncontrolled Search Path Element Impact: Code Execution Vendor: Product: NCP Secure Entry Client for Windows Version: 10.13 Build: 38541 Tested on: Windows 7-x86, other versions likely vulnerable as well (W10 / x64 arch, not tested) -------------------- Description: -------------------- ncpmon.exe handles opening ".pcf" ".spd" ".wge" and ".wgx" file formats. During this process it attempts to load a non-existing DLL from CWD. An attacker can create and plant his own malicious DLL with a specific name in this location. This results in code-execution under "Current User" privileges. -------------------- PoC: -------------------- Create a malicious DLL with Metasploit or code and compile one from scratch. Name it either: ncpmon2.dll or ncpwifi.dll -------------------- Impact -------------------- (Remote) Code Execution, e.g. load from file-share / receive through e-mail or removable media User interaction is required: opening any of the targeted file formats. Ncpmon.exe has to be the default handler for these file-types. (true under default installation conditions) ------------------- Timeline ------------------- 18/04/2018: Initial contact with vendor 25/06/2018: Vendor responded to mitigation suggestions and gives an update on patch development. Vulnerability should be fixed in release 11.1 26/07/2018: The following message is sent to all customers: The versions of the following products – in the named version or older – will be discontinued with effect from January 1, 2019: NCP Secure Entry Windows Client 10.0x ------------------- Mitigation ------------------- Download the latest version 11.x


Vote for this issue:


Thanks for you vote!


Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2021,


Back to Top