Application: NCP VPN/PKI Client
Site: http://www.ncp.de
Version: 8.30, Build 59 and maybe lower
OS: Windows
Possible problem: UDP Bypassing
Product:
========
NCP's Secure Communications provides a comprehensive portfolio of
products for implementing total solutions for high-security remote
access. These software-based products comply fully with all current
major technology standards for communication and encryption, as defined
by the IETF (Internet Engineering Task Force) and ITU (International
Telecommunication Union). Consequently all products can be smoothly
integrated into any existing network and communication architectures.
Your Internet infrastructure, which may already consist of third-party
security and access components, can be further used without changes -
thus avoiding any unnecessary administrative costs.
About:
=====
There are two 'firewalls' part of the NCP VPN/PKI Client. The 'Link
Firewall' and some sort of 'personal firewall'. The function of the
'Link Firewall' is to prevent any traffic between an untrusted net and
an active vpn connection. The 'Link Firewall' just can be turned on or
off. The 'personal firewall' can be configured with rules like all of
you probably know from other similar personal firewalls.
For my tests I activated the 'Link Firewall' and configured the
'personal firewall' to prevent any in- or outbound traffic.
UDP Bypassing, both directions
=====
During some configuration tests for the NCP VPN/PKI Client I noticed
that the machine still received an ip-address via DHCP, although both
firewalls were enabled. So I did some research and figured out that it's
possible to send and receive data from and to another machine. On the
client with the NCP VPN/PKI Client installed you have to use port 68
(UDP, sending and receiving) and on the 'other side' you have to use
port 67 (UDP, sending and receiving).
For testing I wrote a little perl script which looks so unbelievable
embarrassing that I better show how to use the bug using hping ;)
So to send something to the machine secured with the NCP VPN/PKI Client
use hping like this.
hping.exe -2 -c 1 -s 67 -p 68 -e "You should've never gone to Hollywood"
$TARGET
To send data from the machine with the NCP VPN/PKI Client to another pc
use hping like this.
hping.exe -2 -c 1 -s 68 -p 67 -e "You should've never trusted Hollywood"
$TARGET
This will also work if you're connected to a VPN.
History:
========
2006-05-12: Found the possible problems
2006-05-16: Mailed the vendor, no response
2006-05-22: Mailed the vendor again
2006-05-23: The vendor replied
2006-05-26: The vendor replied with technical details
ports
--
SYS 64767
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
