[NT] SafeNet SoftRemote VPN Client Clear-text Password in Memory

From: SecuriTeam (support_at_securiteam.com)
Date: 02/14/05

  • Next message: SecuriTeam: "[UNIX] IBM AIX auditselect Local Format String Vulnerability" 
    To: list@securiteam.com
Date: 14 Feb 2005 14:02:00 +0200

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    The SecuriTeam alerts list - Free, Accurate, Independent.

    Get your security news from a reliable source.
    http://www.securiteam.com/mailinglist.html

    - - - - - - - - -

      SafeNet SoftRemote VPN Client Clear-text Password in Memory
    ------------------------------------------------------------------------

    SUMMARY

    NTA Monitor have discovered a password disclosure issue in the SafeNet
    SoftRemote VPN client: The SoftRemote client stores the password in an
    obfuscated form in the Windows registry, but it also stores the
    unencrypted password in process memory.

    The SafeNet SoftRemote VPN client is widely used for remote access IPsec
    VPNs. It is available as a product in its own right, and many VPN vendors
    also use a badged-up version of the client which they ship with their VPN
    product. The issue has been confirmed in both the SoftRemote product, and
    also in two badged-up versions. It is suspected that the issue is common
    to all versions of the client.

    The vendor has been notified of this issue, and have produced a fix which
    is expected to be available shortly.

    DETAILS

    While performing a VPN test for a customer, NTA Monitor discovered that
    the VPN client that was being used stored the VPN password (pre-shared
    key) unencrypted in the memory of the process "IreIKE.exe". It was
    possible to recover the password by dumping the process memory to a file
    with <http://ntsecurity.nu/toolbox/pmdump/> PMDump or by crashing the
    system to obtain a physical memory dump.

    The IreIKE.exe process decrypts the pre-shared key as soon as it starts
    up, so there is no need to attempt to connect to the VPN server in order
    to obtain the password from the client.

    The vulnerability was found in both SafeNet version of the client, and
    also two badged-up versions, which implies that it is common across all
    versions of the client.

    The vulnerability allows anyone with access to the client system to obtain
    the password. It also allows anyone who has access to the obfuscated
    password in the client registry or in a policy file (.spd) to use the VPN
    client to obtain the corresponding plain-text password.

    The VPN client registry, and also policy files, contain all the other
    configuration details needed to gain access to the VPN, such as the
    username and IP addresses in plain (unencrypted format). Therefore anyone
    with access to the VPN client system, or a policy file, can obtain all of
    the required details to access the VPN.

    In the memory dump, the plain-text password is visible near to the name of
    the connection that it is associated with (e.g. "My Connections\New
    Connection"). As the password appears to be at a fixed offset from the
    connection name in the memory dump, it would be a simple matter to write a
    tool to extract the connection name and password.

    ADDITIONAL INFORMATION

    The information has been provided by <mailto:Roy.Hills@nta-monitor.com>
    Roy Hills.
    The original article can be found at:
    <http://www.nta-monitor.com/news/vpn-flaws/safenet/index.htm>
    http://www.nta-monitor.com/news/vpn-flaws/safenet/index.htm

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

  • Next message: SecuriTeam: "[UNIX] IBM AIX auditselect Local Format String Vulnerability"

    Relevant Pages