Viscosity Open VPN 2.3 Privilege Escalation

`# Title : Viscosity Open VPN 2.3 Privilege Escalation  
# Date : 28/11/2016  
# Author : Ajay Gowtham aka AJOXR  
# Tested on : Windows 10 ( Latest version x64 bit)  
# Software : https://www.sparklabs.com/downloads/Viscosity%20Installer.exe  
# Vulnerability Description:  
# When the Viscosity VPN software is installed a service with name  
#ViscosityService is installed.  
# The service itself has the right permissions which do not allow to  
reconfigure #the binary  
# but the path the binary is writable by any authenticated user.  
  
[#] Product & Service Introduction:  
===================================  
Viscosity makes it easy for users new to VPNs to get started. Its clear and  
intuitive interface makes creating, configuring, or importing connections a  
snap. Read our detailed "Introduction to VPN" guide for an extensive  
introduction to VPNs and how to get started using Viscosity.  
  
  
[#] Technical Details & Description:  
====================================  
The application suffers from an unquoted search path issue in the official  
Viscosity software. The issue allows authorized but unprivileged local  
users to execute arbitrary code with system privileges on the active  
system. The attack vector of the issue is local.  
  
[#] Proof of Concept (PoC):  
===========================  
The issue can be exploited by local attackers with restricted system user  
account or network access and without user interaction.  
For security demonstration or to reproduce the vulnerability follow the  
provided information and steps below to continue.  
  
-----------------------------------------------POC------------------------------------------  
C:\>sc qc ViscosityService  
[SC] QueryServiceConfig SUCCESS  
  
SERVICE_NAME: ViscosityService  
TYPE : 10 WIN32_OWN_PROCESS  
START_TYPE : 2 AUTO_START  
ERROR_CONTROL : 1 NORMAL  
BINARY_PATH_NAME : "C:\Program  
Files\Viscosity\ViscosityService.exe"  
LOAD_ORDER_GROUP :  
TAG : 0  
DISPLAY_NAME : Viscosity Service  
DEPENDENCIES :  
SERVICE_START_NAME : LocalSystem  
  
------------------------------------------------------------------------------------------------------  
C:\Program Files\Viscosity>icacls "C:\Program Files\Viscosity"  
C:\Program Files\Viscosity NT SERVICE\TrustedInstaller:(I)(F)  
<------------Everyone Has Full Permissions  
NT SERVICE\TrustedInstaller:(I)(CI)(IO)(F)  
NT AUTHORITY\SYSTEM:(I)(F)  
NT AUTHORITY\SYSTEM:(I)(OI)(CI)(IO)(F)  
BUILTIN\Administrators:(I)(F)  
BUILTIN\Administrators:(I)(OI)(CI)(IO)(F)  
BUILTIN\Users:(I)(RX)  
BUILTIN\Users:(I)(OI)(CI)(IO)(GR,GE)  
CREATOR OWNER:(I)(OI)(CI)(IO)(F)  
APPLICATION PACKAGE AUTHORITY\ALL APPLICATION  
PACKAGES:(I)(RX)  
APPLICATION PACKAGE AUTHORITY\ALL APPLICATION  
PACKAGES:(I)(OI)(CI)(IO)(GR,GE)  
  
Successfully processed 1 files; Failed processing 0 files  
  
This exploit takes as a parameter an exe file that will replace the  
ViscosityService.exe and will run with full privileges when the  
service/computer is restarted.  
  
  
[#] Vulnerability Disclosure Timeline:  
======================================  
2016-11-28 : Discovery of the Vulnerability  
2016-12-04 : Contact the Vendor (No Response Support Team)  
2016-12-12 : Public Disclosure  
  
[#] Disclaimer:  
===============  
Permission is hereby granted for the redistribution of this advisory,  
provided that it is not altered except by reformatting it, and that due  
credit is given. Permission is explicitly given for insertion in  
vulnerability databases and similar, provided that due credit is given to  
the author.  
The author is not responsible for any misuse of the information contained  
herein and prohibits any malicious use of all security related information  
or exploits by the author or elsewhere.  
`