0 day: a detailed analysis of the macOS platform Shimo VPN Multiple privilege elevation vulnerability-vulnerability warning-the black bar safety net

One, overview
The Cisco Talos team recently disclosed Shimo VPN help tool Helper Tool a series of holes. Shimo VPN is the macOS platform a very popular VPN client that can in one application to connect multiple VPN accounts. These particular vulnerabilities were in the help tool, this is the Shimo VPN used to complete certain privileges of work of a function.
According to our disclosure policy, in repeated attempts with the vendor to communicate after unsuccessful, the final decision in the official has not released the patch the case of disclosure of vulnerability details.
Second, Shimo VPN helper service Elevation of privilege vulnerability, CVE-2018-4004）
CVE-2018-4004（TALOS-2018-0673 is a privilege elevation vulnerability the vulnerability is located in the Shimo VPN help program services, specifically in which the disconnectService function. To successfully exploit the vulnerability, the need for computer for local access, may allow a non-root user to terminate the system privileges of the process.
2.1 CVSSv3 score
7.1 – CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H
2.2 CWE
CWE-19: input validation is incorrect
2.3 vulnerability details
The first installation of the application, the help tool will be the root of the installation, and as a LaunchD daemon. This means that if the program is terminated, it will immediately restart. The service monitor use:
v3 = objc_msgSend(&OBJC_CLASS___NSXPCListener, “alloc”);
v4 = objc_msgSend(v3, “initWithMachServiceName:”, CFSTR(“com. feingeist. shimo. helper”));
The second parameter is registered as a service incoming string, and prompts it to start listening. This process will open the service to connect to use Objective-C XPC calls. The process will be executed similar to the following snippet, which connects the client to the service is a.
v8 = objc_msgSend(v7, “initWithMachServiceName:options:”, CFSTR(“com. feingeist. shimo. helper”), 4096LL); [1]
v11 = objc_msgSend(
&OBJC_CLASS___NSXPCInterface,
“interfaceWithProtocol:”,
&OBJC_PROTOCOL___ShimoHelperToolProtocol); [2]
In[1]position, use the same as above call, the options variable is used to represent the client is connected, instead of being the listener. In[2], the transfer of a special agreement, which defines that the client can use all the features. The server must be defined in the same Protocol, in order to make these calls work. We view the agreement, found that a vulnerability exists.
The vulnerability is located in the disconnectService:fromRemoteHost:withComPort:withPID:withReply:function, the relevant code is as follows:
pid = arg_6; [3]
syslog(5, “Running disconnectService in helper.”);
if ( pid 6 )
goto LABEL_17;
v10 = 90LL;
if ( ! _bittest64(&v10, v8) )
{
if ( v8 )
{
if ( v8 == 2 )
{
if ( CSProcessRunning(pid) ) [4]
{
if ( !- [ShimoHelperTool killProcessWithID:withSignal:](self, “killProcessWithID:withSignal:”, pid, 15LL) ) [5]
In[3]the location, incoming parameters are assigned to is responsible for saving the process ID of the variable. In[4]the location, the check is used to verify whether the application is running, then the process is passed to the kill function, that is, [5]. Fig. As a result, it allows a non-root user passing in any required PID, and so the process terminates. This operation will transfer the permissions of the boundary, thereby generating a privilege elevation vulnerability.
2.4 exploit proof of concept
We provide the executable file, terminate the PID for the 101 application, the PID 101 in the normal startup is a root process, in theory, should not be an ordinary user is terminated, whereby the description of the vulnerability impact.
2.5 timeline
2018 9 May 21, to the manufacturers disclosure
2018 9 May 22, vendor to confirm the vulnerability and give the primary developer contact information
2018 9 May 26, the vulnerability details sent to the main developers
By 2018 10 month 8 days the first time to follow the progress
2018 年 11 月 9 date of the second follow-up progress
2018 12 December 4 the third follow-up progress
2019 3 June 14, public disclosure before the follow-up progress
2019 3 May 15, public disclosure of 0day vulnerabilities
Third, Shimo VPN helper service Elevation of privilege vulnerability, CVE-2018-4005）
CVE-2018-4005（TALOS-2018-0674 is an exploitable privilege escalation vulnerability, the vulnerability located in the Shimo VPN help program services, specifically in which the configureRoutingWithCommand function. To successfully exploit the vulnerability, the need for computer for local access, but may allow the attacker to be its privilege escalation to root.

[1] [2] [3] [4] [5] [6] next