Windows - NCP-e Secure Entry VPN Client - File Open DLL Planting RCE

Title: NCP-e Secure Entry VPN Client File Open DLL Planting RCE
Author: sh4d0wman
Date: 12/09/2018
CWE-427: Uncontrolled Search Path Element 
Impact: Code Execution 
Vendor: https://www.ncp-e.com/en/
Product: NCP Secure Entry Client for Windows
Version: 10.13 Build: 38541
Tested on: Windows 7-x86, other versions likely vulnerable as well (W10 / x64 arch, not tested)

--------------------
Description:
--------------------
ncpmon.exe handles opening ".pcf" ".spd" ".wge" and ".wgx" file formats. 
During this process it attempts to load a non-existing DLL from CWD.
An attacker can create and plant his own malicious DLL with a specific name in this location. 
This results in code-execution under "Current User" privileges.

--------------------
PoC: 
--------------------
Create a malicious DLL with Metasploit or code and compile one from scratch.
Name it either: ncpmon2.dll or ncpwifi.dll

-------------------- 
Impact
--------------------
(Remote) Code Execution, e.g. load from file-share / receive through e-mail or removable media
User interaction is required: opening any of the targeted file formats.
Ncpmon.exe has to be the default handler for these file-types. (true under default installation conditions)

-------------------
Timeline
-------------------
18/04/2018: Initial contact with vendor

25/06/2018: Vendor responded to mitigation suggestions and gives an update on patch development.
Vulnerability should be fixed in release 11.1

26/07/2018: The following message is sent to all customers:
The versions of the following products  in the named version or older  will be discontinued with effect from January 1, 2019:
NCP Secure Entry Windows Client 10.0x

-------------------
Mitigation
-------------------
Download the latest version 11.x
https://www.ncp-e.com/en/service-resources/download-vpn-client/

Copyright ©2024 Exploitalert.