# Title : Viscosity Open VPN 2.3 Privilege Escalation
# Date : 28/11/2016
# Author : Ajay Gowtham aka AJOXR
# Tested on : Windows 10 ( Latest version x64 bit)
# Software : https://www.sparklabs.com/downloads/Viscosity%20Installer.exe
# Vulnerability Description:
# When the Viscosity VPN software is installed a service with name
#ViscosityService is installed.
# The service itself has the right permissions which do not allow to
reconfigure #the binary
# but the path the binary is writable by any authenticated user.

[#] Product & Service Introduction:
===================================
Viscosity makes it easy for users new to VPNs to get started. Its clear and
intuitive interface makes creating, configuring, or importing connections a
snap. Read our detailed "Introduction to VPN" guide for an extensive
introduction to VPNs and how to get started using Viscosity.


[#] Technical Details & Description:
====================================
The application suffers from an unquoted search path issue in the official
Viscosity software. The issue allows authorized but unprivileged local
users to execute arbitrary code with system privileges on the active
system. The attack vector of the issue is local.

[#] Proof of Concept (PoC):
===========================
The issue can be exploited by local attackers with restricted system user
account or network access and without user interaction.
For security demonstration or to reproduce the vulnerability follow the
provided information and steps below to continue.

-----------------------------------------------POC------------------------------------------
C:\>sc qc ViscosityService
[SC] QueryServiceConfig SUCCESS

SERVICE_NAME: ViscosityService
        TYPE               : 10  WIN32_OWN_PROCESS
        START_TYPE         : 2   AUTO_START
        ERROR_CONTROL      : 1   NORMAL
        BINARY_PATH_NAME   : "C:\Program
Files\Viscosity\ViscosityService.exe"
        LOAD_ORDER_GROUP   :
        TAG                : 0
        DISPLAY_NAME       : Viscosity Service
        DEPENDENCIES       :
        SERVICE_START_NAME : LocalSystem

------------------------------------------------------------------------------------------------------
C:\Program Files\Viscosity>icacls "C:\Program Files\Viscosity"
C:\Program Files\Viscosity NT SERVICE\TrustedInstaller:(I)(F)
<------------Everyone Has Full Permissions
                           NT SERVICE\TrustedInstaller:(I)(CI)(IO)(F)
                           NT AUTHORITY\SYSTEM:(I)(F)
                           NT AUTHORITY\SYSTEM:(I)(OI)(CI)(IO)(F)
                           BUILTIN\Administrators:(I)(F)
                           BUILTIN\Administrators:(I)(OI)(CI)(IO)(F)
                           BUILTIN\Users:(I)(RX)
                           BUILTIN\Users:(I)(OI)(CI)(IO)(GR,GE)
                           CREATOR OWNER:(I)(OI)(CI)(IO)(F)
                           APPLICATION PACKAGE AUTHORITY\ALL APPLICATION
PACKAGES:(I)(RX)
                           APPLICATION PACKAGE AUTHORITY\ALL APPLICATION
PACKAGES:(I)(OI)(CI)(IO)(GR,GE)

Successfully processed 1 files; Failed processing 0 files

This exploit takes as a parameter an exe file that will replace the
ViscosityService.exe and will run with full privileges when the
service/computer is restarted.


[#] Vulnerability Disclosure Timeline:
======================================
2016-11-28 : Discovery of the Vulnerability
2016-12-04 : Contact the Vendor (No Response Support Team)
2016-12-12 : Public Disclosure

[#] Disclaimer:
===============
Permission is hereby granted for the redistribution of this advisory,
provided that it is not altered except by reformatting it, and that due
credit is given. Permission is explicitly given for insertion in
vulnerability databases and similar, provided that due credit is given to
the author.
The author is not responsible for any misuse of the information contained
herein and prohibits any malicious use of all security related information
or exploits by the author or elsewhere.