API tools faq
paste
Advertisement
Lulz-Tigre

hidemyvpn expliot

Lulz-Tigre
Jul 13th, 2016
1,607
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 2.86 KB | None | 0 0
raw download clone embed print report
  1. Title: Hide.Me VPN Client - EoP: User to SYSTEM
  2. CWE Class: CWE-276: Incorrect Default Permissions
  3. Date: 01/06/2016
  4. Vendor: eVenture
  5. Product: Hide.Me VPN Client
  6. Version: 1.2.4
  7. Download link: https://hide.me/en/software/windows
  8. Tested on: Windows 7 x86, fully patched
  9. Release mode: no bugbounty program, public release
  10.  
  11. Installer Name: Hide.me-Setup-1.2.4.exe
  12. MD5: e5e5e2fa2c9592660a180357c4482740
  13. SHA1: 4729c45d6399c759cd8f6a0c5773e08c6c57e034
  14.  
  15. - 1. Introduction: -
  16. The installer automatically creates a folder named "hide.me VPN" under
  17. c:\program files\ for the software.
  18. No other location can be specified during installation.
  19.  
  20. The folder has insecure permissions allowing EVERYONE the WRITE permission.
  21. Users can replace binaries or plant malicious DLLs to obtain elevated privileges.
  22.  
  23. As the software is running one executable as service under SYSTEM
  24. permissions an attacker could elevate from regular user to SYSTEM.
  25.  
  26. - 2. Technical Details/PoC: -
  27. A. Obtain and execute the installer.
  28. B. Observe there is no prompt to specify an installation location.
  29. C. Review permissions under the Explorer Security tab or run icacls.exe
  30.  
  31. Example:
  32.  
  33. C:\Program Files\hide.me VPN Everyone:(OI)(CI)(M)
  34. NT SERVICE\TrustedInstaller:(I)(F)
  35. NT SERVICE\TrustedInstaller:(I)(CI)(IO)(F)
  36. NT AUTHORITY\SYSTEM:(I)(F)
  37. NT AUTHORITY\SYSTEM:(I)(OI)(CI)(IO)(F)
  38. BUILTIN\Administrators:(I)(F)
  39. BUILTIN\Administrators:(I)(OI)(CI)(IO)(F)
  40. BUILTIN\Users:(I)(RX)
  41. BUILTIN\Users:(I)(OI)(CI)(IO)(GR,GE)
  42. CREATOR OWNER:(I)(OI)(CI)(IO)(F)
  43.  
  44. Successfully processed 1 files; Failed processing 0 files
  45.  
  46. C. A user can overwrite an executable or drop a malicious DLL to obtain code execution.
  47. The highest permissions are reached by overwriting the service executable: vpnsvc.exe
  48.  
  49. However it is running at startup and can't be stopped by a non-privileged user.
  50.  
  51. As we can write to the directory we can rename all of the DLL's to DLL.old
  52.  
  53. C:\Program Files\hide.me VPN\Common.dll
  54. C:\Program Files\hide.me VPN\SharpRaven.dll
  55. C:\Program Files\hide.me VPN\ComLib.dll
  56. C:\Program Files\hide.me VPN\vpnlib.dll
  57. C:\Program Files\hide.me VPN\Newtonsoft.Json.dll
  58. C:\Program Files\hide.me VPN\DotRas.dll
  59.  
  60. Once renamed, reboot the machine, log on as normal user.
  61.  
  62. E. Observe both application AND the system service have crashed.
  63. Now replace vpnsvc.exe with a malicious copy.
  64. Place back all original DLLS and reboot.
  65.  
  66. Our code will get executed under elevated permissions: SYSTEM.
  67.  
  68. - 3. Mitigation: -
  69. A. set appropriate permissions on the application folder.
  70.  
  71. - 4. Author: -
  72. sh4d0wman
  73.  
  74. # 0day.today [2016-07-13] #
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!