=====[ Tempest Security Intelligence - ADV-22/2018 ]===

Hola VPN 1.79.859 - Insecure service permissions
-------------------------------------------------------
Author:
- Filipe Xavier Oliveira: < filipe.xavier () tempest.com.br >

=====[ Table of Contents
]=====================================================

* Overview

* Detailed description

* Further attack scenarios

* Timeline of disclosure

* Thanks & Acknowledgements

* References

=====[ Overview
]==============================================================

* System affected : Hola VPN [1]

* Software Version : 1.79.859 .Other versions or models may also be
affected.

* Impact : An unprivileged user could modify or overwrite the executable
with arbitrary code, which would be executed the next time the service
is started. Resulting in privilege escalation.


=====[ Detailed description
]==================================================

An unprivileged user could modify or overwrite the executable with
arbitrary code, which would be executed the next time the service is
started. Depending on the user that the service runs as, this could
result in privilege escalation. The issue exists because of the
SERVICE_ALL_ACCESS access right for the hola_svc and hola_updater services.

C:\SysinternalsSuite>accesschk.exe -uwcqv "Everyone" *
RW hola_svc
SERVICE_ALL_ACCESS
RW hola_updater
SERVICE_ALL_ACCESS

=====[ Further attack scenarios
]==============================================

Services configured to use an executable with weak permissions are
vulnerable to privilege escalation attacks, any user can replace the
original service by the another, causing elevation of privileges to SYSTEM

=====[ Timeline of disclosure
]===============================================

29/01/2018 - Vulnerability reported. Vendor did not respond.
02/05/2018 - CVE assigned [2]
02/05/2018 - Tried to contact vendor again, without success.
03/06/2018 - Advisory publication date.

=====[ Thanks & Acknowledgements
]============================================

- Tempest Security Intelligence / Tempest's Pentest Team [1]

=====[ References
]===========================================================
[1] - http://hola.org/
[2] - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6623
[3] - http://www.tempest.com.br/

-- 
Filipe Oliveira
Tempest Security Intelligence