Application:     NCP VPN/PKI Client
Site:            http://www.ncp.de
Version:         8.30, Build 59 and maybe lower
OS:              Windows
Possible problem:     UDP Bypassing


Product:
========
NCP's Secure Communications provides a comprehensive portfolio of 
products for implementing total solutions for high-security remote 
access. These software-based products comply fully with all current 
major technology standards for communication and encryption, as defined 
by the IETF (Internet Engineering Task Force) and ITU (International 
Telecommunication Union). Consequently all products can be smoothly 
integrated into any existing network and communication architectures. 
Your Internet infrastructure, which may already consist of third-party 
security and access components, can be further used without changes - 
thus avoiding any unnecessary administrative costs.


About:
=====
There are two 'firewalls' part of the NCP VPN/PKI Client. The 'Link 
Firewall' and some sort of 'personal firewall'. The function of the 
'Link Firewall' is to prevent any traffic between an untrusted net and 
an active vpn connection. The 'Link Firewall' just can be turned on or 
off. The 'personal firewall' can be configured with rules like all of 
you probably know from other similar personal firewalls.

For my tests I activated the 'Link Firewall' and configured the 
'personal firewall' to prevent any in- or outbound traffic.


UDP Bypassing, both directions
=====
During some configuration tests for the NCP VPN/PKI Client I noticed 
that the machine still received an ip-address via DHCP, although both 
firewalls were enabled. So I did some research and figured out that it's 
possible to send and receive data from and to another machine. On the 
client with the NCP VPN/PKI Client installed you have to use port 68 
(UDP, sending and receiving) and on the 'other side' you have to use 
port 67 (UDP, sending and receiving).

For testing I wrote a little perl script which looks so unbelievable 
embarrassing that I better show how to use the bug using hping ;)

So to send something to the machine secured with the NCP VPN/PKI Client 
use hping like this.

hping.exe -2 -c 1 -s 67 -p 68 -e "You should've never gone to Hollywood" 
$TARGET

To send data from the machine with the NCP VPN/PKI Client to another pc 
use hping like this.

hping.exe -2 -c 1 -s 68 -p 67 -e "You should've never trusted Hollywood" 
$TARGET

This will also work if you're connected to a VPN.


History:
========
2006-05-12: Found the possible problems
2006-05-16: Mailed the vendor, no response
2006-05-22: Mailed the vendor again
2006-05-23: The vendor replied
2006-05-26: The vendor replied with technical details


ports

-- 
SYS 64767