Windows - NCP-e Secure Entry VPN Client - File Open DLL Planting RCE

2018.09.14
th sh4d0wman (TH) th
Risk: High
Local: Yes
Remote: No
CVE: N/A
CWE: N/A

Title: NCP-e Secure Entry VPN Client File Open DLL Planting RCE Author: sh4d0wman Date: 12/09/2018 CWE-427: Uncontrolled Search Path Element Impact: Code Execution Vendor: https://www.ncp-e.com/en/ Product: NCP Secure Entry Client for Windows Version: 10.13 Build: 38541 Tested on: Windows 7-x86, other versions likely vulnerable as well (W10 / x64 arch, not tested) -------------------- Description: -------------------- ncpmon.exe handles opening ".pcf" ".spd" ".wge" and ".wgx" file formats. During this process it attempts to load a non-existing DLL from CWD. An attacker can create and plant his own malicious DLL with a specific name in this location. This results in code-execution under "Current User" privileges. -------------------- PoC: -------------------- Create a malicious DLL with Metasploit or code and compile one from scratch. Name it either: ncpmon2.dll or ncpwifi.dll -------------------- Impact -------------------- (Remote) Code Execution, e.g. load from file-share / receive through e-mail or removable media User interaction is required: opening any of the targeted file formats. Ncpmon.exe has to be the default handler for these file-types. (true under default installation conditions) ------------------- Timeline ------------------- 18/04/2018: Initial contact with vendor 25/06/2018: Vendor responded to mitigation suggestions and gives an update on patch development. Vulnerability should be fixed in release 11.1 26/07/2018: The following message is sent to all customers: The versions of the following products – in the named version or older – will be discontinued with effect from January 1, 2019: NCP Secure Entry Windows Client 10.0x ------------------- Mitigation ------------------- Download the latest version 11.x https://www.ncp-e.com/en/service-resources/download-vpn-client/

References:

https://www.ncp-e.com/en/service-resources/download-vpn-client/


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2018, cxsecurity.com

 

Back to Top