lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <7054fba6-4674-d6a4-6a43-1f048cc64687@tempest.com.br>
Date: Tue, 6 Mar 2018 16:17:07 -0300
From: filipe <filipe.xavier@...pest.com.br>
To: fulldisclosure@...lists.org
Subject: [FD] Hola VPN 1.79.859 - Insecure service permissions

=====[ Tempest Security Intelligence - ADV-22/2018 ]===

Hola VPN 1.79.859 - Insecure service permissions
-------------------------------------------------------
Author:
- Filipe Xavier Oliveira: < filipe.xavier () tempest.com.br >

=====[ Table of Contents
]=====================================================

* Overview

* Detailed description

* Further attack scenarios

* Timeline of disclosure

* Thanks & Acknowledgements

* References

=====[ Overview
]==============================================================

* System affected : Hola VPN [1]

* Software Version : 1.79.859 .Other versions or models may also be
affected.

* Impact : An unprivileged user could modify or overwrite the executable
with arbitrary code, which would be executed the next time the service
is started. Resulting in privilege escalation.


=====[ Detailed description
]==================================================

An unprivileged user could modify or overwrite the executable with
arbitrary code, which would be executed the next time the service is
started. Depending on the user that the service runs as, this could
result in privilege escalation. The issue exists because of the
SERVICE_ALL_ACCESS access right for the hola_svc and hola_updater services.

C:\SysinternalsSuite>accesschk.exe -uwcqv "Everyone" *
RW hola_svc
SERVICE_ALL_ACCESS
RW hola_updater
SERVICE_ALL_ACCESS

=====[ Further attack scenarios
]==============================================

Services configured to use an executable with weak permissions are
vulnerable to privilege escalation attacks, any user can replace the
original service by the another, causing elevation of privileges to SYSTEM

=====[ Timeline of disclosure
]===============================================

29/01/2018 - Vulnerability reported. Vendor did not respond.
02/05/2018 - CVE assigned [2]
02/05/2018 - Tried to contact vendor again, without success.
03/06/2018 - Advisory publication date.

=====[ Thanks & Acknowledgements
]============================================

- Tempest Security Intelligence / Tempest's Pentest Team [1]

=====[ References
]===========================================================
[1] - http://hola.org/
[2] - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6623
[3] - http://www.tempest.com.br/

-- 
Filipe Oliveira
Tempest Security Intelligence


_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists