NTA Monitor

Latest News

60% of UK website tests revealed Internet encryption and cross-site scripting vulnerabilities

10th April 2008 60% of web application tests performed for UK organisations showed that their websites contain weak encryption or cross-site scripting (XSS) vulnerabilities Read More

Demilitarised Zone most secure option for BlackBerry device

28th February 2008 Recent BlackBerry testing by IT security consultancy, NTA Monitor, has revealed that organisations are still not configuring these mobile devices correctly Read More

Retailers should put security top of their Christmas list

13th November 2007 With British consumers spending more than £6.6 billion online in the last two months of last year, the 2007 festive season is set to be one of great cheer for online retailers Read More

Businesses warned not to have skeletons in cupboards

13th November 2007 For many organisations, the festive season is an opportunity to heave a corporate sigh of relief and enjoy the brief respite in frenetic business activity as countless people all over the world, go home to celebrate Christmas Read More

Nortel Windows VPN client password disclosure

NTA Monitor have discovered a password disclosure issue in the Nortel Windows VPN client: The Nortel VPN client stores the VPN passwords in an obfuscated form in the Windows registry, but it also stores the unencrypted passwords in process memory. Both the user password and the group password (if group authentication is being used) are visible.

This issue occurs when either "Username and Password Authentication" or "Group Security Authentication" are used, and the user selects the "Save Password" option. The "Digital Certificate Authentication" method is not affected.

Overview

While performing a VPN test for a customer in October 2004, NTA Monitor discovered that the VPN client that was being used stored the VPN password (pre-shared key) unencrypted in the memory of the process "Extranet.exe". It was possible to recover the password by dumping the process memory to a file with PMDump or by crashing the system to obtain a physical memory dump using a crash on demand utility such as Bang.

In the memory dump, the plain-text passwords appear near to the associated user name or group name, which makes them easy to locate. It would be simple to write a tool to extract the user name, group name and associated passwords from a memory dump file.

The vulnerability allows anyone with access to the client system to obtain the password. It may also allow anyone who has access to the obfuscated password in the client registry to use the VPN client to obtain the corresponding plain-text password, although this has not been tested.

The issue was found in version 5.01 of the Windows Contivity VPN client, dated October 2004. It is suspect that earlier versions are also vulnerable, although this has not been tested. The Linux version of the Multi-OS client does not appear to be vulnerable, because it does not seem to allow the password to be saved. Presumably the Multi-OS clients for other operating systems (MacOS, HP-UX, Etc.) are also not vulnerable.

Details

Below is a screenshot of the VPN client application, which is used to configure the VPN client. Part of the configuration is the user name and password. In this example, we use the user name "royhills@hotmail.com" and the password "Str0ng$Passw0rd", and we have selected the "Save Password" checkbox.

[Security Policy]

It is also possible to configure group authentication in addition to user authentication. In this example, we enable group authentication using the group name "VPN_Users" and the group password "Gr0up$Passw0rd".

[Entering PSK]

The user password and group password are stored in the registry in an obfuscated format. Below is a screenshot showing the password registry entries: "Errors" is the user password, and "GroupErrors" is the group password. Presumably these non-obvious names were chosen for obscurity.

[Registry Editor]

The VPN client process is "Extranet.exe", which is shown in the screenshot below.

[Process list]

PMDump can be used to copy the contents of the Extranet.exe process memory to a file as shown below. Alternatively it is possible to crash the operating system to obtain a physical memory dump file, which will also contain the password. The screenshot below shows pmdump being used to generate a process memory dump file.

[Memory Dump]

The process memory dump file can then be viewed to discover the password. In this example, we use Microsoft Word 2000 to view the file. We can see the user name "royhills@hotmail.com", the group name "VPN_Users", the group password "Gr0up$Passw0rd", and the user password "Str0ng$Passw0rd". The names and passwords have been highlighted.

[Viewing a memory dump]

Here is the output from "Help -> About Contivity VPN Client" for the version that we used in our testing:

[About screen on VPN client]

Further Information

This issue is one example of a VPN security flaw that NTA Monitor have discovered while performing VPN security testing. We have also published a white paper which discusses the general security issues that we have found to be associated with remote access IPsec VPNs. You can download a copy of this white paper from the following URL:

http://www.nta-monitor.com/posts/2005/01/vpn-flaws.html

This advisory was first released on 1st March 2005.