Vulners
Lucene search
Viscosity OpenVPN 2.3 Privilege Escalation Vulnerability
# Title : Viscosity Open VPN 2.3 Privilege Escalation
# Author : Ajay Gowtham aka AJOXR
# Tested on : Windows 10 ( Latest version x64 bit)
# Software : https://www.sparklabs.com/downloads/Viscosity%20Installer.exe
# Vulnerability Description:
# When the Viscosity VPN software is installed a service with name
#ViscosityService is installed.
# The service itself has the right permissions which do not allow to
reconfigure #the binary
# but the path the binary is writable by any authenticated user.
[#] Product & Service Introduction:
===================================
Viscosity makes it easy for users new to VPNs to get started. Its clear and
intuitive interface makes creating, configuring, or importing connections a
snap. Read our detailed "Introduction to VPN" guide for an extensive
introduction to VPNs and how to get started using Viscosity.
[#] Technical Details & Description:
====================================
The application suffers from an unquoted search path issue in the official
Viscosity software. The issue allows authorized but unprivileged local
users to execute arbitrary code with system privileges on the active
system. The attack vector of the issue is local.
[#] Proof of Concept (PoC):
===========================
The issue can be exploited by local attackers with restricted system user
account or network access and without user interaction.
For security demonstration or to reproduce the vulnerability follow the
provided information and steps below to continue.
-----------------------------------------------POC------------------------------------------
C:\>sc qc ViscosityService
[SC] QueryServiceConfig SUCCESS
SERVICE_NAME: ViscosityService
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : "C:\Program
Files\Viscosity\ViscosityService.exe"
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Viscosity Service
DEPENDENCIES :
SERVICE_START_NAME : LocalSystem
------------------------------------------------------------------------------------------------------
C:\Program Files\Viscosity>icacls "C:\Program Files\Viscosity"
C:\Program Files\Viscosity NT SERVICE\TrustedInstaller:(I)(F)
<------------Everyone Has Full Permissions
NT SERVICE\TrustedInstaller:(I)(CI)(IO)(F)
NT AUTHORITY\SYSTEM:(I)(F)
NT AUTHORITY\SYSTEM:(I)(OI)(CI)(IO)(F)
BUILTIN\Administrators:(I)(F)
BUILTIN\Administrators:(I)(OI)(CI)(IO)(F)
BUILTIN\Users:(I)(RX)
BUILTIN\Users:(I)(OI)(CI)(IO)(GR,GE)
CREATOR OWNER:(I)(OI)(CI)(IO)(F)
APPLICATION PACKAGE AUTHORITY\ALL APPLICATION
PACKAGES:(I)(RX)
APPLICATION PACKAGE AUTHORITY\ALL APPLICATION
PACKAGES:(I)(OI)(CI)(IO)(GR,GE)
Successfully processed 1 files; Failed processing 0 files
This exploit takes as a parameter an exe file that will replace the
ViscosityService.exe and will run with full privileges when the
service/computer is restarted.
[#] Vulnerability Disclosure Timeline:
======================================
2016-11-28 : Discovery of the Vulnerability
2016-12-04 : Contact the Vendor (No Response Support Team)
2016-12-12 : Public Disclosure
# 0day.today [2018-02-19] #Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
18 Dec 2016 00:00Current
7.2High risk
Vulners AI Score7.2