Avaya VPNRemote VPN Client Password Disclosure Issue
Summary
NTA Monitor have discovered a password disclosure issue in the Avaya VPNRemote VPN client: VPNRemote stores all user credentials (username and password) in clear-text in the process memory. Such vulnerability was found on August 24, 2005.
This issue occurs regardless of whether the "Save Password" feature is enabled or not.
Overview
NTA Monitor discovered that the VPNRemote client was loading all the credentials unencrypted in the memory of the process "VPNremote.exe". It was possible to recover the password by dumping the process memory to a file with PMDump.
The vulnerability allows anyone with access to the client system to obtain the username and password along with all the other settings required to establish a successful VPN connection. Additionally, this vulnerability could also be exploited by fooling the user to execute malicious code which would dump the memory of the process "VPNremote.exe".
It is also worth mentioning that some times, no direct user interaction is required for the execution of malicious code. Crackers often exploit vulnerabilities in web browsers and email clients that allows them to execute malicious code on the victim's machine without requiring the user to manually execute the trojaned executable. This means that given the right scenario, this vulnerability present in VPNRemote could be exploited in such a way.
Details
After examining the memory dump of the process "VPNremote.exe" with a hexadecimal editor, the username seems to appear 9 different times and the password 2 times. Below is a screenshot of the process memory dump showing the username and password in the clear. In this case the username is "testusername" and the password is "testpass".
![[Screenshot]](vpnremote-clear-text-credentials.jpg)
Further Information
VPNRemote can be downloaded for free from http://support.avaya.com/vpn/vpnreg.jhtml
This advisory was first released on 23rd November 2005.