Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

NCP VPN/PKI Client: UDP Bypassing

From: "ml3 () portsonline net" <ml3 () portsonline net>
Date: Fri, 30 Jun 2006 16:02:25 +0200
Application:            NCP VPN/PKI Client
Site:                   http://www.ncp.de
Version:                8.30, Build 59 and maybe lower
OS:                     Windows
Possible problem:       UDP Bypassing


Product:
========
NCP's Secure Communications provides a comprehensive portfolio of products for implementing total solutions for high-security remote access. These software-based products comply fully with all current major technology standards for communication and encryption, as defined by the IETF (Internet Engineering Task Force) and ITU (International Telecommunication Union). Consequently all products can be smoothly integrated into any existing network and communication architectures. Your Internet infrastructure, which may already consist of third-party security and access components, can be further used without changes - thus avoiding any unnecessary administrative costs. 


About:
=====
There are two 'firewalls' part of the NCP VPN/PKI Client. The 'Link Firewall' and some sort of 'personal firewall'. The function of the 'Link Firewall' is to prevent any traffic between an untrusted net and an active vpn connection. The 'Link Firewall' just can be turned on or off. The 'personal firewall' can be configured with rules like all of you probably know from other similar personal firewalls.
For my tests I activated the 'Link Firewall' and configured the 'personal firewall' to prevent any in- or outbound traffic. 


UDP Bypassing, both directions
=====
During some configuration tests for the NCP VPN/PKI Client I noticed that the machine still received an ip-address via DHCP, although both firewalls were enabled. So I did some research and figured out that it's possible to send and receive data from and to another machine. On the client with the NCP VPN/PKI Client installed you have to use port 68 (UDP, sending and receiving) and on the 'other side' you have to use port 67 (UDP, sending and receiving).
For testing I wrote a little perl script which looks so unbelievable embarrassing that I better show how to use the bug using hping ;)
So to send something to the machine secured with the NCP VPN/PKI Client use hping like this.
hping.exe -2 -c 1 -s 67 -p 68 -e "You should've never gone to Hollywood" $TARGET
To send data from the machine with the NCP VPN/PKI Client to another pc use hping like this.
hping.exe -2 -c 1 -s 68 -p 67 -e "You should've never trusted Hollywood" $TARGET 

This will also work if you're connected to a VPN.


History:
========
2006-05-12: Found the possible problems
2006-05-16: Mailed the vendor, no response
2006-05-22: Mailed the vendor again
2006-05-23: The vendor replied
2006-05-26: The vendor replied with technical details


ports

--
SYS 64767

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Previous By Date Next
Previous By Thread Next

Current thread: