SafeNet SoftRemote VPN Client Issue: Clear-text password stored in memory

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: SafeNet SoftRemote VPN Client Issue: Clear-text password stored in memory
From: Roy Hills <Roy.Hills@xxxxxxxxxxxxxxx>
Date: Tue, 08 Feb 2005 12:08:18 +0000
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm

SafeNet SoftRemote VPN Client Issue: Clear-text password stored in memory

Summary:

NTA Monitor have discovered a password disclosure issue in the SafeNetSoftRemote VPN client: The SoftRemote client stores the password in anobfuscated form in the Windows registry, but it also stores the unencryptedpassword in process memory.

The SafeNet SoftRemote VPN client is widely used for remote access IPsecVPNs. It is available as a product in its own right, and many VPN vendorsalso use a badged-up version of the client which they ship with their VPNproduct. The issue has been confirmed in both the SoftRemote product, andalso in two badged-up versions. It is suspected that the issue is commonto all versions of the client.

The vendor has been notified of this issue, and have produced a fix whichis expected to be available shortly.


Overview:

While performing a VPN test for a customer, NTA Monitor discovered that theVPN client that was being used stored the VPN password (pre-shared key)unencrypted in the memory of the process "IreIKE.exe". It was possible torecover the password by dumping the process memory to a file with PMDump(http://ntsecurity.nu/toolbox/pmdump/) or by crashing the system to obtaina physical memory dump.

The IreIKE.exe process decrypts the pre-shared key as soon as it starts up,so there is no need to attempt to connect to the VPN server in order toobtain the password from the client.

The vulnerability was found in both SafeNet version of the client, and alsotwo badged-up versions, which implies that it is common across all versionsof the client.

The vulnerability allows anyone with access to the client system to obtainthe password. It also allows anyone who has access to the obfuscatedpassword in the client registry or in a policy file (.spd) to use the VPNclient to obtain the corresponding plain-text password.

The VPN client registry, and also policy files, contain all the otherconfiguration details needed to gain access to the VPN, such as theusername and IP addresses in plain (unencrypted format). Therefore anyonewith access to the VPN client system, or a policy file, can obtain all ofthe required details to access the VPN.

In the memory dump, the plain-text password is visible near to the name ofthe connection that it is associated with (e.g. "My Connections\NewConnection"). As the password appears to be at a fixed offset from theconnection name in the memory dump, it would be a simple matter to write atool to extract the connection name and password.


Further Information:

For further information, including technical details and screenshots, see:

http://www.nta-monitor.com/news/vpn-flaws/safenet/index.htm

Roy Hills


--
Roy Hills                                    Tel:   +44 1634 721855
NTA Monitor Ltd                              FAX:   +44 1634 721844
14 Ashford House, Beaufort Court,
Medway City Estate,                          Email: Roy.Hills@xxxxxxxxxxxxxxx

Rochester, Kent ME2 4FA,UK WWW: http://www.nta-monitor.com/

Prev by Date: mailman email harvester
Next by Date: [SECURITY] [DSA 670-1] New emacs20 packages fix arbitrary code execution
Previous by thread: secure-roster script to address mailman email harvester
Next by thread: [SECURITY] [DSA 670-1] New emacs20 packages fix arbitrary code execution
Index(es):
- Date
- Thread