Viscosity Open VPN 2.3 Privilege Escalation

2016.12.13
Credit: Ajay Gowtham
Risk: Medium
Local: Yes
Remote: No
CVE: N/A
CWE: CWE-264

# Title : Viscosity Open VPN 2.3 Privilege Escalation # Date : 28/11/2016 # Author : Ajay Gowtham aka AJOXR # Tested on : Windows 10 ( Latest version x64 bit) # Software : https://www.sparklabs.com/downloads/Viscosity%20Installer.exe # Vulnerability Description: # When the Viscosity VPN software is installed a service with name #ViscosityService is installed. # The service itself has the right permissions which do not allow to reconfigure #the binary # but the path the binary is writable by any authenticated user. [#] Product & Service Introduction: =================================== Viscosity makes it easy for users new to VPNs to get started. Its clear and intuitive interface makes creating, configuring, or importing connections a snap. Read our detailed "Introduction to VPN" guide for an extensive introduction to VPNs and how to get started using Viscosity. [#] Technical Details & Description: ==================================== The application suffers from an unquoted search path issue in the official Viscosity software. The issue allows authorized but unprivileged local users to execute arbitrary code with system privileges on the active system. The attack vector of the issue is local. [#] Proof of Concept (PoC): =========================== The issue can be exploited by local attackers with restricted system user account or network access and without user interaction. For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue. -----------------------------------------------POC------------------------------------------ C:\>sc qc ViscosityService [SC] QueryServiceConfig SUCCESS SERVICE_NAME: ViscosityService TYPE : 10 WIN32_OWN_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : "C:\Program Files\Viscosity\ViscosityService.exe" LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : Viscosity Service DEPENDENCIES : SERVICE_START_NAME : LocalSystem ------------------------------------------------------------------------------------------------------ C:\Program Files\Viscosity>icacls "C:\Program Files\Viscosity" C:\Program Files\Viscosity NT SERVICE\TrustedInstaller:(I)(F) <------------Everyone Has Full Permissions NT SERVICE\TrustedInstaller:(I)(CI)(IO)(F) NT AUTHORITY\SYSTEM:(I)(F) NT AUTHORITY\SYSTEM:(I)(OI)(CI)(IO)(F) BUILTIN\Administrators:(I)(F) BUILTIN\Administrators:(I)(OI)(CI)(IO)(F) BUILTIN\Users:(I)(RX) BUILTIN\Users:(I)(OI)(CI)(IO)(GR,GE) CREATOR OWNER:(I)(OI)(CI)(IO)(F) APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(I)(RX) APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(I)(OI)(CI)(IO)(GR,GE) Successfully processed 1 files; Failed processing 0 files This exploit takes as a parameter an exe file that will replace the ViscosityService.exe and will run with full privileges when the service/computer is restarted. [#] Vulnerability Disclosure Timeline: ====================================== 2016-11-28 : Discovery of the Vulnerability 2016-12-04 : Contact the Vendor (No Response Support Team) 2016-12-12 : Public Disclosure [#] Disclaimer: =============== Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and prohibits any malicious use of all security related information or exploits by the author or elsewhere.


See this note in RAW Version
Vote for this issue:
100%
0%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top