Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

iPass Mobile Client 2.4.2.15122 Privilege Escalation

🗓️ 13 Mar 2015 00:00:00Reported by Hans-Martin MuenchType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 42 Views

iPass Mobile Client 2.4.2.15122 Privilege Escalation vulnerability disclosed by Mogwai Security Advisory MSA-2015-03. Named pipes for interprocess communication in iPass Open Mobile Windows Client can be abused by a normal user to escalate local privileges

Code
`Mogwai Security Advisory MSA-2015-03  
----------------------------------------------------------------------  
Title: iPass Mobile Client service local privilege escalation  
Product: iPass Mobile Client   
Affected versions: iPass Mobile Client 2.4.2.15122 (Newer version might be also  
affected)  
Impact: medium   
Remote: no  
Product link: http://www.ipass.com/laptops/  
Reported: 11/03/2015  
by: Hans-Martin Muench (Mogwai, IT-Sicherheitsberatung Muench)  
  
  
Vendor's Description of the Software:  
----------------------------------------------------------------------  
The iPass Open Mobile client for laptops is lightweight and always on.  
It provides easy, seamless connectivity across iPass, customer, and third-party  
networks, and allows you to mix and match carrier networks without disrupting  
your users.  
  
The iPass Open Mobile client for laptops allows organizations to provide  
granular  
options for how employees connect to iPass Wi-Fi (the iPass Mobile Network),  
campus Wi-Fi, mobile broadband (3G/4G), Ethernet, and dial, using a single  
platform to manage all connections. Open Mobile also enables cost and security  
controls that provide virtual private network (VPN) integration options; mobile  
broadband 3G/4G usage controls for both data roaming and data usage; endpoint  
integrity verification that checks the security of the device at the point of  
connection; and several additional options for setting network connection and  
restriction policies. Insight into an organizations mobility usage is provided  
through user and device activity and summary reports as well as mobile broadband  
usage reports.  
-----------------------------------------------------------------------  
  
Vendor response:  
-----------------------------------------------------------------------  
"We do not consider this a vulnerability as it is how the product was designed"  
  
Business recommendation:  
-----------------------------------------------------------------------  
Disable the iPass service unless really required  
  
  
-- CVSS2 Ratings ------------------------------------------------------  
  
CVSS Base Score: 5.6  
Impact Subscore: 7.8  
Exploitability Subscore: 3.9  
CVSS v2 Vector (AV:L/AC:L/Au:N/C:P/I:C/A:N)  
-----------------------------------------------------------------------  
  
  
Vulnerability description:  
----------------------------------------------------------------------  
The iPass Open Mobile Windows Client utilizes named pipes for interprocess  
communication. One of these pipes accepts/forwards commands to the iPass  
plugin subsystem.  
  
A normal user can communicate with this pipe through the command line client  
EPCmd.exe which is part of the iPass suite. A list of available commands can  
be displayed via "System.ListAllCommands".  
  
The iPass pipe provides a "iPass.EventsAction.LaunchAppSysMode" command which  
allows to  
execute arbitrary commands as SYSTEM. This can be abused by a normal user to  
escalate  
his local privileges.  
  
Please note that this issue can also be exploited remotely in version  
2.4.2.15122 as  
the named pipe can also be called via SMB. However according to our information,  
the pipe is no longer remotely accessible in current versions of the iPass  
Mobile  
client.  
  
  
Proof of concept:  
----------------------------------------------------------------------  
  
The following EPCmd command line creates a local user "mogwai" with password  
"mogwai":  
  
EPCmd.exe iPass.EventsAction.LaunchAppSysMode c:\windows\system32\cmd.exe;"/c  
net user mogwai mogwai /ADD;;  
  
Disclosure timeline:  
----------------------------------------------------------------------  
10/03/2015: Requesting security contact from iPass sales  
10/03/2015: Sales responded, will forward vulnerability information to the  
development  
11/03/2015: Sending vulnerability details  
11/03/2015: iPass asks which customer we represent  
11/03/2015: Responding that we don't represent any iPass customer  
12/03/2015: iPass responded, wont fix, says that the product works as designed  
  
  
Advisory URL:  
----------------------------------------------------------------------  
https://www.mogwaisecurity.de/#lab  
  
  
----------------------------------------------------------------------  
Mogwai, IT-Sicherheitsberatung Muench  
Steinhoevelstrasse 2/2  
89075 Ulm (Germany)  
  
[email protected]  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
13 Mar 2015 00:00Current
0.4Low risk
Vulners AI Score0.4
ipass mobile clientprivilege escalationmogwai security advisory
42