Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Exploits-HackingTools
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[NT] SafeNet SoftRemote VPN Client Clear-text Password in Memory

from [SecuriTeam] Network Security [Permanent Link]
Subject: [NT] SafeNet SoftRemote VPN Client Clear-text Password in Memory
Date: 14 Feb 2005 14:02:00 +0200 
The following security advisory is sent to the securiteam mailing list, and can 
be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html 

- - - - - - - - -



  SafeNet SoftRemote VPN Client Clear-text Password in Memory
------------------------------------------------------------------------


SUMMARY

NTA Monitor have discovered a password disclosure issue in the SafeNet 
SoftRemote VPN client: The SoftRemote client stores the password in an 
obfuscated form in the Windows registry, but it also stores the 
unencrypted password in process memory.

The SafeNet SoftRemote VPN client is widely used for remote access IPsec 
VPNs. It is available as a product in its own right, and many VPN vendors 
also use a badged-up version of the client which they ship with their VPN 
product. The issue has been confirmed in both the SoftRemote product, and 
also in two badged-up versions. It is suspected that the issue is common 
to all versions of the client.

The vendor has been notified of this issue, and have produced a fix which 
is expected to be available shortly.

DETAILS

While performing a VPN test for a customer, NTA Monitor discovered that 
the VPN client that was being used stored the VPN password (pre-shared 
key) unencrypted in the memory of the process "IreIKE.exe". It was 
possible to recover the password by dumping the process memory to a file 
with  <http://ntsecurity.nu/toolbox/pmdump/> PMDump or by crashing the 
system to obtain a physical memory dump.

The IreIKE.exe process decrypts the pre-shared key as soon as it starts 
up, so there is no need to attempt to connect to the VPN server in order 
to obtain the password from the client.

The vulnerability was found in both SafeNet version of the client, and 
also two badged-up versions, which implies that it is common across all 
versions of the client.

The vulnerability allows anyone with access to the client system to obtain 
the password. It also allows anyone who has access to the obfuscated 
password in the client registry or in a policy file (.spd) to use the VPN 
client to obtain the corresponding plain-text password.

The VPN client registry, and also policy files, contain all the other 
configuration details needed to gain access to the VPN, such as the 
username and IP addresses in plain (unencrypted format). Therefore anyone 
with access to the VPN client system, or a policy file, can obtain all of 
the required details to access the VPN.

In the memory dump, the plain-text password is visible near to the name of 
the connection that it is associated with (e.g. "My Connections\New 
Connection"). As the password appears to be at a fixed offset from the 
connection name in the memory dump, it would be a simple matter to write a 
tool to extract the connection name and password.


ADDITIONAL INFORMATION

The information has been provided by  <mailto:Roy.Hills@nta-monitor.com> 
Roy Hills.
The original article can be found at:  
<http://www.nta-monitor.com/news/vpn-flaws/safenet/index.htm> 
http://www.nta-monitor.com/news/vpn-flaws/safenet/index.htm



======================================== 


This bulletin is sent to members of the SecuriTeam mailing list. 
To unsubscribe from the list, send mail with an empty subject line and body to: 
list-unsubscribe@securiteam.com 
In order to subscribe to the mailing list, simply forward this email to: 
list-subscribe@securiteam.com 


==================== 
==================== 

DISCLAIMER: 
The information in this bulletin is provided "AS IS" without warranty of any 
kind. 
In no event shall we be liable for any damages whatsoever including direct, 
indirect, incidental, consequential, loss of business profits or special 
damages.
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • [NT] SafeNet SoftRemote VPN Client Clear-text Password in Memory, SecuriTeam <=
Previous by Date:  [EXPL] PHP-Nuke POST Method Admin Variable Privilege Escalation, SecuriTeam
Next by Date:  [UNIX] IBM AIX auditselect Local Format String Vulnerability, SecuriTeam
Previous by Thread:  [EXPL] PHP-Nuke POST Method Admin Variable Privilege Escalation, SecuriTeam
Next by Thread:  [UNIX] IBM AIX auditselect Local Format String Vulnerability, SecuriTeam
Indexes:  [Date] [Thread] [Top] [All Lists]