NTA Monitor

Latest News

New version of network scanning tool arp-scan released

15th March 2011 A new version of a respected and popular network scanning tool has been released. Read More

Tests show rise in number of vulnerabilities affecting web applications with SQL Injection and XSS most common flaws

1st March 2011 SQL injection and cross-site scripting (XSS) were the most common flaws found in web applications in 2010 according to results from tests carried out by NTA Monitor. Read More

Assess risk to manage effects of budget cuts

9th February 2011 Signs of economic recovery may be appearing in some industries, but for most organisations - particularly in the public sector - budget cuts and cost savings are here to stay for the foreseeable future. Read More

"Basic security threats not changed in 15 years"

1st February 2011 There may have been significant technological advances to the hardware and software organisations use, but according to Roy Hills, who co-founded NTA Monitor in 1996, the basic security threats have not changed in the last 15 years. Read More

Nortel Windows VPN client password disclosure

NTA Monitor have discovered a password disclosure issue in the Nortel Windows VPN client: The Nortel VPN client stores the VPN passwords in an obfuscated form in the Windows registry, but it also stores the unencrypted passwords in process memory. Both the user password and the group password (if group authentication is being used) are visible.

This issue occurs when either "Username and Password Authentication" or "Group Security Authentication" are used, and the user selects the "Save Password" option. The "Digital Certificate Authentication" method is not affected.

Overview

While performing a VPN test for a customer in October 2004, NTA Monitor discovered that the VPN client that was being used stored the VPN password (pre-shared key) unencrypted in the memory of the process "Extranet.exe". It was possible to recover the password by dumping the process memory to a file with PMDump or by crashing the system to obtain a physical memory dump using a crash on demand utility such as Bang.

In the memory dump, the plain-text passwords appear near to the associated user name or group name, which makes them easy to locate. It would be simple to write a tool to extract the user name, group name and associated passwords from a memory dump file.

The vulnerability allows anyone with access to the client system to obtain the password. It may also allow anyone who has access to the obfuscated password in the client registry to use the VPN client to obtain the corresponding plain-text password, although this has not been tested.

The issue was found in version 5.01 of the Windows Contivity VPN client, dated October 2004. It is suspect that earlier versions are also vulnerable, although this has not been tested. The Linux version of the Multi-OS client does not appear to be vulnerable, because it does not seem to allow the password to be saved. Presumably the Multi-OS clients for other operating systems (MacOS, HP-UX, Etc.) are also not vulnerable.

Details

Below is a screenshot of the VPN client application, which is used to configure the VPN client. Part of the configuration is the user name and password. In this example, we use the user name "royhills@hotmail.com" and the password "Str0ng$Passw0rd", and we have selected the "Save Password" checkbox.

[Security Policy]

It is also possible to configure group authentication in addition to user authentication. In this example, we enable group authentication using the group name "VPN_Users" and the group password "Gr0up$Passw0rd".

[Entering PSK]

The user password and group password are stored in the registry in an obfuscated format. Below is a screenshot showing the password registry entries: "Errors" is the user password, and "GroupErrors" is the group password. Presumably these non-obvious names were chosen for obscurity.

[Registry Editor]

The VPN client process is "Extranet.exe", which is shown in the screenshot below.

[Process list]

PMDump can be used to copy the contents of the Extranet.exe process memory to a file as shown below. Alternatively it is possible to crash the operating system to obtain a physical memory dump file, which will also contain the password. The screenshot below shows pmdump being used to generate a process memory dump file.

[Memory Dump]

The process memory dump file can then be viewed to discover the password. In this example, we use Microsoft Word 2000 to view the file. We can see the user name "royhills@hotmail.com", the group name "VPN_Users", the group password "Gr0up$Passw0rd", and the user password "Str0ng$Passw0rd". The names and passwords have been highlighted.

[Viewing a memory dump]

Here is the output from "Help -> About Contivity VPN Client" for the version that we used in our testing:

[About screen on VPN client]

Further Information

This issue is one example of a VPN security flaw that NTA Monitor have discovered while performing VPN security testing. We have also published a white paper which discusses the general security issues that we have found to be associated with remote access IPsec VPNs. You can download a copy of this white paper from the following URL:

http://www.nta-monitor.com/posts/2005/01/vpn-flaws.html

This advisory was first released on 1st March 2005.