Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

OpenVPN Private Tunnel Privilege Escalation

🗓️ 11 Jul 2014 00:00:00Reported by LiquidWormType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 32 Views

OpenVPN Private Tunnel Core Service Unquoted Service Path Elevation Of Privilege. Vendor: OpenVPN Technologies, Inc

Code
`  
OpenVPN Private Tunnel Core Service Unquoted Service Path Elevation Of Privilege  
  
  
Vendor: OpenVPN Technologies, Inc  
Product web page: http://www.openvpn.net  
Affected version: 2.1.28.0 (PrivateTunnel 2.3.8)  
  
Summary: Private Tunnel is a new approach to true Internet security creating  
a Virtual Private Tunnel (VPT) or Virtual Private Network (VPN) that encrypts,  
privatizes, and protects your Internet traffic.  
  
Desc: Private Tunnel application suffers from an unquoted search path issue  
impacting the Core Service 'ptservice' service for Windows deployed as part  
of PrivateTunnel bundle. This could potentially allow an authorized but  
non-privileged local user to execute arbitrary code with elevated privileges  
on the system. A successful attempt would require the local user to be able  
to insert their code in the system root path undetected by the OS or other  
security applications where it could potentially be executed during application  
startup or reboot. If successful, the local user's code would execute with the  
elevated privileges of the application.  
  
Tested on: Microsoft Windows 7 Professional SP1 (EN)  
Microsoft Windows XP Professional SP3 (EN)  
  
  
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic  
@zeroscience  
  
  
Advisory ID: ZSL-2014-5192  
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2014-5192.php  
  
  
07.07.2014  
  
---  
  
  
C:\Users\user>sc qc ptservice  
[SC] QueryServiceConfig SUCCESS  
  
SERVICE_NAME: ptservice  
TYPE : 10 WIN32_OWN_PROCESS  
START_TYPE : 2 AUTO_START  
ERROR_CONTROL : 1 NORMAL  
BINARY_PATH_NAME : C:\Program Files (x86)\OpenVPN Technologies\PrivateTunnel\ptservice.exe  
LOAD_ORDER_GROUP :  
TAG : 0  
DISPLAY_NAME : Private Tunnel Core Service  
DEPENDENCIES :  
SERVICE_START_NAME : LocalSystem  
  
C:\Users\user>icacls "C:\Program Files (x86)\OpenVPN Technologies\PrivateTunnel\ptservice.exe"  
C:\Program Files (x86)\OpenVPN Technologies\PrivateTunnel\ptservice.exe NT AUTHORITY\SYSTEM:(I)(F)  
BUILTIN\Administrators:(I)(F)  
BUILTIN\Users:(I)(RX)  
  
Successfully processed 1 files; Failed processing 0 files  
  
C:\Users\user>  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
11 Jul 2014 00:00Current
0.4Low risk
Vulners AI Score0.4
openvpnprivate tunnelelevation of privilegeunquoted service pathwindowsvulnerabilityprivilege escalationvirtual private networkencryptioninternet securitylocal userarbitrary codeelevated privilegeszero science advisory
32