what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

iPass Mobile Client 2.4.2.15122 Privilege Escalation

iPass Mobile Client 2.4.2.15122 Privilege Escalation
Posted Mar 13, 2015
Authored by Hans-Martin Muench

iPass Mobile Client version 2.4.2.15122 suffers from a local privilege escalation vulnerability.

tags | exploit, local
SHA-256 | bd007d26621d154125e049c9012e6a55d1250112d7f68cf635a95297806bc04a

iPass Mobile Client 2.4.2.15122 Privilege Escalation

Change Mirror Download
Mogwai Security Advisory MSA-2015-03
----------------------------------------------------------------------
Title: iPass Mobile Client service local privilege escalation
Product: iPass Mobile Client
Affected versions: iPass Mobile Client 2.4.2.15122 (Newer version might be also
affected)
Impact: medium
Remote: no
Product link: http://www.ipass.com/laptops/
Reported: 11/03/2015
by: Hans-Martin Muench (Mogwai, IT-Sicherheitsberatung Muench)


Vendor's Description of the Software:
----------------------------------------------------------------------
The iPass Open Mobile client for laptops is lightweight and always on.
It provides easy, seamless connectivity across iPass, customer, and third-party
networks, and allows you to mix and match carrier networks without disrupting
your users.

The iPass Open Mobile client for laptops allows organizations to provide
granular
options for how employees connect to iPass Wi-Fi (the iPass Mobile Network),
campus Wi-Fi, mobile broadband (3G/4G), Ethernet, and dial, using a single
platform to manage all connections. Open Mobile also enables cost and security
controls that provide virtual private network (VPN) integration options; mobile
broadband 3G/4G usage controls for both data roaming and data usage; endpoint
integrity verification that checks the security of the device at the point of
connection; and several additional options for setting network connection and
restriction policies. Insight into an organizations mobility usage is provided
through user and device activity and summary reports as well as mobile broadband
usage reports.
-----------------------------------------------------------------------

Vendor response:
-----------------------------------------------------------------------
"We do not consider this a vulnerability as it is how the product was designed"

Business recommendation:
-----------------------------------------------------------------------
Disable the iPass service unless really required


-- CVSS2 Ratings ------------------------------------------------------

CVSS Base Score: 5.6
Impact Subscore: 7.8
Exploitability Subscore: 3.9
CVSS v2 Vector (AV:L/AC:L/Au:N/C:P/I:C/A:N)
-----------------------------------------------------------------------


Vulnerability description:
----------------------------------------------------------------------
The iPass Open Mobile Windows Client utilizes named pipes for interprocess
communication. One of these pipes accepts/forwards commands to the iPass
plugin subsystem.

A normal user can communicate with this pipe through the command line client
EPCmd.exe which is part of the iPass suite. A list of available commands can
be displayed via "System.ListAllCommands".

The iPass pipe provides a "iPass.EventsAction.LaunchAppSysMode" command which
allows to
execute arbitrary commands as SYSTEM. This can be abused by a normal user to
escalate
his local privileges.

Please note that this issue can also be exploited remotely in version
2.4.2.15122 as
the named pipe can also be called via SMB. However according to our information,
the pipe is no longer remotely accessible in current versions of the iPass
Mobile
client.


Proof of concept:
----------------------------------------------------------------------

The following EPCmd command line creates a local user "mogwai" with password
"mogwai":

EPCmd.exe iPass.EventsAction.LaunchAppSysMode c:\windows\system32\cmd.exe;"/c
net user mogwai mogwai /ADD;;

Disclosure timeline:
----------------------------------------------------------------------
10/03/2015: Requesting security contact from iPass sales
10/03/2015: Sales responded, will forward vulnerability information to the
development
11/03/2015: Sending vulnerability details
11/03/2015: iPass asks which customer we represent
11/03/2015: Responding that we don't represent any iPass customer
12/03/2015: iPass responded, wont fix, says that the product works as designed


Advisory URL:
----------------------------------------------------------------------
https://www.mogwaisecurity.de/#lab


----------------------------------------------------------------------
Mogwai, IT-Sicherheitsberatung Muench
Steinhoevelstrasse 2/2
89075 Ulm (Germany)

info@mogwaisecurity.de
Login or Register to add favorites

File Archive:

July 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jul 1st
    27 Files
  • 2
    Jul 2nd
    10 Files
  • 3
    Jul 3rd
    35 Files
  • 4
    Jul 4th
    27 Files
  • 5
    Jul 5th
    18 Files
  • 6
    Jul 6th
    0 Files
  • 7
    Jul 7th
    0 Files
  • 8
    Jul 8th
    28 Files
  • 9
    Jul 9th
    44 Files
  • 10
    Jul 10th
    24 Files
  • 11
    Jul 11th
    25 Files
  • 12
    Jul 12th
    11 Files
  • 13
    Jul 13th
    0 Files
  • 14
    Jul 14th
    0 Files
  • 15
    Jul 15th
    0 Files
  • 16
    Jul 16th
    0 Files
  • 17
    Jul 17th
    0 Files
  • 18
    Jul 18th
    0 Files
  • 19
    Jul 19th
    0 Files
  • 20
    Jul 20th
    0 Files
  • 21
    Jul 21st
    0 Files
  • 22
    Jul 22nd
    0 Files
  • 23
    Jul 23rd
    0 Files
  • 24
    Jul 24th
    0 Files
  • 25
    Jul 25th
    0 Files
  • 26
    Jul 26th
    0 Files
  • 27
    Jul 27th
    0 Files
  • 28
    Jul 28th
    0 Files
  • 29
    Jul 29th
    0 Files
  • 30
    Jul 30th
    0 Files
  • 31
    Jul 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close