NCP ncprwsnt安全客户端多重漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1195889 漏洞类型
发布时间 2006-03-02 更新时间 2006-03-03
CVE编号 CVE-2006-0968 CNNVD-ID CNNVD-200603-013
漏洞平台 N/A CVSS评分 7.2
|漏洞来源
https://cxsecurity.com/issue/WLB-2006030024
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200603-013
|漏洞详情
在NCP网络通信安全客户端8.11Build146(可能其它版本)中的ncprwsnt服务,允许本地用户执行任意代码通过修改connect.bat脚本,从而连接建立后被服务自动执行。
|漏洞EXP
Application: NCP VPN/PKI Client
Site:        http://www.ncp.de
Version:     8.11, Build 146 and maybe lower
OS:          Windows
Bugs:        Local Privilige Escalation, DoS and other

Product:
========
NCP's Secure Communications provides a comprehensive portfolio of
products for implementing total solutions for high-security remote
access. These software-based products comply fully with all current
major technology standards for communication and encryption, as defined
by the IETF (Internet Engineering Task Force) and ITU (International
Telecommunication Union). Consequently all products can be smoothly
integrated into any existing network and communication architectures.
Your Internet infrastructure, which may already consist of third-party
security and access components, can be further used without changes ?
thus avoiding any unnecessary administrative costs.

About:
======

I found a few Bugs/Problems in the NCP VPN/PKI Client. If you read this
post you probably notice that this list of errors and bugs is just the
result of some really short tests. I'm *really* sure that there are
still some nice bugs.

1.: - Unnamed
===============================
If you create a rule using the Client Firewall you're able to bind an
application to this rule. Unfortunately no hash value (for instance)
will be created for this application. So you can easily pick another
application, put it into the directory, rename it and use it with this
rule.

VENDOR RESPONSE:
NCP is aware about this problem. A later version of the client will
come with a hash-function.

2.: - Buffer Overflow with Privilege Escalation (some sort of), DoS
===================================================================
Some of the installed applications didn't like it to start with a large
amount of arguments.

example 1:
In my current test-configuration I'm not able to go to or configure
'IPSec' in the menu 'configuration'. If I run 'ncpmon.exe' with >=261
characters I get a slightly different gui. And it's not only the gui
which is different. Now I'm able to go to the 'IPSec' menu and
configure the settings.

example 2:
Run 'ncprwsnt.exe' with enough arguments and your cpu utilization will
raise 100%.

VENDOR RESPONSE:
NCP is currently checking this problem(s).

3: - DoS, remote
================
I picked the first DoS code I found, tried it and was surprised that
this old piece of code is still working. Using the 'ZoneAlarm remote
Denial Of Service exploit'[1] it's possible to raise the memory usage
and the cpu utilization. Let it run for 1-2 minutes and you will notify
the decreasing speed of your machine. And at least it's possible to
make it impossible for you to continue working with the pc.

VENDOR RESPONSE:
NCP is currently checking this problem(s).

4: - Local Privilege Escalation
===============================
One feature of the client is that you can execute a script called
'connect.bat' after you established a connection with your vpn-gateway.
The script isn't executed by the client, but by the service 'ncprwsnt'
which runs with the local system account. So add a little script in the
program dir of the NCP VPN/PKI Client with a nice 'net user /add' and
'net localgroup /add' mix to escalate your privileges.

VENDOR RESPONSE:
This 'Feature' is known to NCP. A couple of customers are using exactly
this functionality. A new relase of the NCP VPN/PKI Client, which will
arrive in the next few weeks, will fix this 'problem'.

History:
========
2006-02-13: Found the Bugs
2006-02-15: Mailed the vendor
2006-02-16: The vendor replied

Thanks to the really nice and cool support from ncp :)

ports

[1] http://cert.uni-stuttgart.de/archive/bugtraq/2003/09/msg00020.html

--
SYS 64767
|参考资料

来源:BID
名称:16906
链接:http://www.securityfocus.com/bid/16906
来源:BUGTRAQ
名称:20060301NCPVPN/PKIClient-variousBugs
链接:http://www.securityfocus.com/archive/1/archive/1/426480/100/0/threaded
来源:XF
名称:ncp-connect-command-execution(25251)
链接:http://xforce.iss.net/xforce/xfdb/25251
来源:SREASON
名称:524
链接:http://securityreason.com/securityalert/524
来源:SECUNIA
名称:19082
链接:http://secunia.com/advisories/19082
来源:FULLDISC
名称:20060301NCPVPN/PKIClient-variousBugs
链接:http://lists.grok.org.uk/pipermail/full-disclosure/2006-March/042640.html