usd-2020-0038 | NCP Secure Enterprise Windows Client 10.14

Advisory ID: usd-2020-0038
CVE Number: CVE-2020-11474
Affected Product: NCP Secure Enterprise Windows Client 
Affected Version: 10.14
Vulnerability Type: Privileged File Write
Security Risk: Critical
Vendor URL: https://www.ncp-e.com
Vendor Status: Fixed in 10.15 r47589

Description

Symbolic link attacks have become more and more popular on Windows operating systems. A symbolic link is just a directory entry that points to a different location of the file system and redirects certain file operations to the actual target. When privileged processes interact with user controlled parts of the file system, symbolic links can be used to redirect privileged file operations in order to achieve an elevation of privileges. However, it should be noticed that low privileged user accounts are not able to create symbolic links that connect two ordinary file system locations. That being said, there is a workaround that allows the creation of pseudo symbolic links, as demonstrated by James Forshaw.

Proof of Concept (PoC)

The NCP Secure Enterprise client allows low privileged user accounts to issue an operation with name Support Assistent. When this operation is used, several files get written to a user controlled path of the file system and some of these files are written with administrative privileges. In the following only the Mobile Network Support flag is used during the export, which only generates a single file:

Since the directory is user controlled, the low privileged user can create a symbolic link to another location of the file system. After the Support Assistent function is used again, the targeted file gets written with administrative privileges.

Apart from Denial of Service attacks, attackers could use this vulnerability for local privilege escalations, since parts of the file contents are user controlled.

Fix

Privileged file operations on user controlled parts of the file system should be treated with special care. If possible, privileged file writes should only target protected locations on the file system. Moreover, the privileged process itself can implement different mitigations like impersonation or inspecting targeted files for filesystem links.

References

Timeline

  • 2020-03-31 This vulnerability was found by Tobias Neitzel during a pentest
  • 2020-04-01 Initial contact request via info-mv@ncp-e.com
  • 2020-04-03 Submit Advisory to vendor
  • 2020-05-28 vendor publishes fix in NCP Secure Enterprise Client 10.15 r47589
  • 2020-06-18 Security advisory released

Credits

This security vulnerability was found by Tobias Neitzel of usd AG

ABOUT usd SECURITY ADVISORIES

In order to protect businesses against hackers and criminals, we always have to keep our skills and knowledge up to date. Thus, security research is just as important for our work as is building up a security community to promote the exchange of knowledge. After all, more security can only be achieved if many individuals take on the task.

Our CST Academy and our usd HeroLab are essential parts of our security mission. We share the knowledge we gain in our practical work and our research through training courses and publications. In this context, the usd HeroLab publishes a series of papers on new vulnerabilities and current security issues.

Always for the sake of our mission: „more security.“

to usd AG


In accordance with usd AG’s Responsible Disclosure Policy, all vendors have been notified of the existence of these vulnerabilities.

Disclaimer

The information provided in this security advisory is provided „as is“ and without warranty of any kind. Details of this security advisory may be updated in order to provide as accurate information as possible.