NTA Monitor

Latest News

Will IE6 be the next NT4?

1st October 2009 All penetration testers will remember the long tail of Windows NT 4.0, and how this operating system continued to be used long past the point when security updates stopped at the end of 2004. For many years the presence of an unpatchable NT4 server was a common issue in a penetration test report, and it is only now, almost five years after security support ended, that finding an NT4 system on a network is becoming a rare event. Read More

One in four web applications susceptible to high risk security flaws

7th September 2009 NTA Monitor has reported a 10% increase in the total number of web applications found to have at least one high-risk security issue... Read More

Organisations facing a changing threat landscape

20th July 2009 According to NTA Monitor's 2009 Annual Security Report, the average number of Internet security vulnerabilities is on the rise... Read More

The Return of the Insider Threat

1st July 2009 When NTA started security testing twelve years ago, the main focus was on the insider threat. There were many reports with statistics showing that most security breaches were due to insiders. By contrast there was very little focus on the external threat via Internet and third-party network links. Back then many companies did not even have a firewall. Read More

Nortel Windows VPN client password disclosure

NTA Monitor have discovered a password disclosure issue in the Nortel Windows VPN client: The Nortel VPN client stores the VPN passwords in an obfuscated form in the Windows registry, but it also stores the unencrypted passwords in process memory. Both the user password and the group password (if group authentication is being used) are visible.

This issue occurs when either "Username and Password Authentication" or "Group Security Authentication" are used, and the user selects the "Save Password" option. The "Digital Certificate Authentication" method is not affected.

Overview

While performing a VPN test for a customer in October 2004, NTA Monitor discovered that the VPN client that was being used stored the VPN password (pre-shared key) unencrypted in the memory of the process "Extranet.exe". It was possible to recover the password by dumping the process memory to a file with PMDump or by crashing the system to obtain a physical memory dump using a crash on demand utility such as Bang.

In the memory dump, the plain-text passwords appear near to the associated user name or group name, which makes them easy to locate. It would be simple to write a tool to extract the user name, group name and associated passwords from a memory dump file.

The vulnerability allows anyone with access to the client system to obtain the password. It may also allow anyone who has access to the obfuscated password in the client registry to use the VPN client to obtain the corresponding plain-text password, although this has not been tested.

The issue was found in version 5.01 of the Windows Contivity VPN client, dated October 2004. It is suspect that earlier versions are also vulnerable, although this has not been tested. The Linux version of the Multi-OS client does not appear to be vulnerable, because it does not seem to allow the password to be saved. Presumably the Multi-OS clients for other operating systems (MacOS, HP-UX, Etc.) are also not vulnerable.

Details

Below is a screenshot of the VPN client application, which is used to configure the VPN client. Part of the configuration is the user name and password. In this example, we use the user name "royhills@hotmail.com" and the password "Str0ng$Passw0rd", and we have selected the "Save Password" checkbox.

[Security Policy]

It is also possible to configure group authentication in addition to user authentication. In this example, we enable group authentication using the group name "VPN_Users" and the group password "Gr0up$Passw0rd".

[Entering PSK]

The user password and group password are stored in the registry in an obfuscated format. Below is a screenshot showing the password registry entries: "Errors" is the user password, and "GroupErrors" is the group password. Presumably these non-obvious names were chosen for obscurity.

[Registry Editor]

The VPN client process is "Extranet.exe", which is shown in the screenshot below.

[Process list]

PMDump can be used to copy the contents of the Extranet.exe process memory to a file as shown below. Alternatively it is possible to crash the operating system to obtain a physical memory dump file, which will also contain the password. The screenshot below shows pmdump being used to generate a process memory dump file.

[Memory Dump]

The process memory dump file can then be viewed to discover the password. In this example, we use Microsoft Word 2000 to view the file. We can see the user name "royhills@hotmail.com", the group name "VPN_Users", the group password "Gr0up$Passw0rd", and the user password "Str0ng$Passw0rd". The names and passwords have been highlighted.

[Viewing a memory dump]

Here is the output from "Help -> About Contivity VPN Client" for the version that we used in our testing:

[About screen on VPN client]

Further Information

This issue is one example of a VPN security flaw that NTA Monitor have discovered while performing VPN security testing. We have also published a white paper which discusses the general security issues that we have found to be associated with remote access IPsec VPNs. You can download a copy of this white paper from the following URL:

http://www.nta-monitor.com/posts/2005/01/vpn-flaws.html

This advisory was first released on 1st March 2005.