This Metasploit module exploits an injection vulnerability in the Network Manager VPNC plugin to gain root privileges. This Metasploit module uses a new line injection vulnerability in the configured username for a VPN network connection to inject a `Password helper` configuration directive into the connection configuration. The specified helper is executed by Network Manager as root when the connection is started. Network Manager VPNC versions prior to 1.2.6 are vulnerable. This Metasploit module has been tested successfully with VPNC versions: 1.2.4-4 on Debian 9.0.0 (x64); and 1.1.93-1 on Ubuntu Linux 16.04.4 (x64).
07e3f24f0ba44622e12961448bb4ae2cacb1f01c983cf368bc94c3c2107fbe4a
Gentoo Linux Security Advisory 201808-3 - A vulnerability in NetworkManager VPNC plugin allows local users to escalate privileges. Versions prior to 1.2.6 are affected.
ea39bd7ae9286e0e11774c56434c9196e05bdb6bd75bf8dd60c8aa8ad97af467
Network Manager VPNC version 1.2.4 suffers from a privilege escalation vulnerability.
07086aef8c32f905b63b3ac0bd56d5717e5df977d219eaf6d7809892f46da39f
Debian Linux Security Advisory 4253-1 - Denis Andzakovic discovered that network-manager-vpnc, a plugin to provide VPNC support for NetworkManager, is prone to a privilege escalation vulnerability. A newline character can be used to inject a Password helper parameter into the configuration data passed to vpnc, allowing a local user with privileges to modify a system connection to execute arbitrary commands as root.
acbb0dffafcd605128ce0ac32a2428118b568943b15f96ed93fde4fde09b84ea