 |
  |
|
| 首页 | 技术文章 | 软件下载 | 博客 | 论坛 | 精品教程 | 黑客动画 | 视频资源 | 在线服务 | 黑客游戏 | | ||||
 |
|
|||||||
|
||||||||
|
|||||
| SafeNet SoftRemote VPN客户端内存明文密码泄露漏洞以及细节 | |||||
作者:未知 文章来源:www.securiteam.com 点击数: 更新时间:2005-2-16  |
|||||
|
?br> Summary NTA Monitor have discovered a password disclosure issue in the SafeNet SoftRemote VPN client: The SoftRemote client stores the password in an obfuscated form in the Windows registry, but it also stores the unencrypted password in process memory. The SafeNet SoftRemote VPN client is widely used for remote access IPsec VPNs. It is available as a product in its own right, and many VPN vendors also use a badged-up version of the client which they ship with their VPN product. The issue has been confirmed in both the SoftRemote product, and also in two badged-up versions. It is suspected that the issue is common to all versions of the client. The vendor has been notified of this issue, and have produced a fix which is expected to be available shortly. Credit: The information has been provided by Roy Hills. The original article can be found at: http://www.nta-monitor.com/news/vpn-flaws/safenet/index.htm Details While performing a VPN test for a customer, NTA Monitor discovered that the VPN client that was being used stored the VPN password (pre-shared key) unencrypted in the memory of the process "IreIKE.exe". It was possible to recover the password by dumping the process memory to a file with PMDump or by crashing the system to obtain a physical memory dump. The IreIKE.exe process decrypts the pre-shared key as soon as it starts up, so there is no need to attempt to connect to the VPN server in order to obtain the password from the client. The vulnerability was found in both SafeNet version of the client, and also two badged-up versions, which implies that it is common across all versions of the client. The vulnerability allows anyone with access to the client system to obtain the password. It also allows anyone who has access to the obfuscated password in the client registry or in a policy file (.spd) to use the VPN client to obtain the corresponding plain-text password. The VPN client registry, and also policy files, contain all the other configuration details needed to gain access to the VPN, such as the username and IP addresses in plain (unencrypted format). Therefore anyone with access to the VPN client system, or a policy file, can obtain all of the required details to access the VPN. In the memory dump, the plain-text password is visible near to the name of the connection that it is associated with (e.g. "My Connections\New Connection"). As the password appears to be at a fixed offset from the connection name in the memory dump, it would be a simple matter to write a tool to extract the connection name and password. |
|||||
| 文章录入:IceRiver 责任编辑:IceRiver | |||||
| 【发表评论】【加入收藏】【告诉好友】【打印此文】【关闭窗口】 | |||||
 网友评论:(只显示最新5条。评论内容只代表网友观点,与本站立场无关!) |
 |
|
| 关于我们 - 版权声明 - 帮助(?) - 广告服务 - 联系我们 - 友情链接 - 用户注册 - | Powered by ICE RIVER - STUDIO |
|
|
| » CnXHacker.CoM |  |
© CopyRight 2002-2006, CnXHacker.CoM™, Inc. All Rights Reserved. |
