Allele Security Alert
ASA-2018-00026
Identifier(s)
ASA-2018-00026, CVE-2018-18857
Title
“anycmd” Privilege Escalation
Vendor(s)
LiquidVPN
Product(s)
LiquidVPN for macOS
Affected version(s)
LiquidVPN 1.37, 1.36 and earlier
Fixed version(s)
Unknown
Proof of concept
Unknown
Description
LiquidVPN installs the helper tool “com.smr.liquidvpn.OVPNHelper” for performing privileged (root) actions. In order to allow other LiquidVPN components to send messages to the helper tool, it implements an XPC service. Static code analysis showed, that the XPC service does not filter incoming messages. This means, regular users (local attackers) can craft arbitrary XPC messages and send them to the service.
Technical details
After receiving a message, the service checks for the existence of the “anycmd” parameter:
--- ... __text:00000001000012E8 lea rsi, aAnycmd ; "anycmd" __text:00000001000012EF mov rdi, r14 ; char * __text:00000001000012F2 call _strcmp __text:00000001000012F7 test eax, eax __text:00000001000012F9 jnz loc_1000016C2 __text:00000001000012FF mov [rbp+var_10A38], r15 __text:0000000100001306 lea rsi, aCommandLine ; "command_line" __text:000000010000130D mov rdi, rbx ... __text:0000000100001336 lea rsi, aR ; "r" __text:000000010000133D mov rdi, r14 ; char * __text:0000000100001340 call _popen ... ---
If “anycmd” is found, the “command_line” parameter is extracted from the message and directly passed on to a call to popen() as an argument.
The following proof of concept can be used to execute arbitrary system commands:
--- ... xpc_dictionary_set_string(message, "cmd", "anycmd"); xpc_dictionary_set_bool(message, "blocking", FALSE); xpc_dictionary_set_string(message, "command_line", "[ARBITRARY CMD]"); ... ---
Credits
Bernd Leitner
Reference(s)
Multiple Privilege Escalation Vulnerabilities in LiquidVPN for MacOS (CVE-2018-18856, CVE-2018-18857, CVE-2018-18858, CVE-2018-18859)
https://seclists.org/fulldisclosure/2018/Nov/1
CVE-2018-18857
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-18857
CVE-2018-18857
https://nvd.nist.gov/vuln/detail/CVE-2018-18857
If there is any error in this alert or you wish a comprehensive analysis, let us know.
Last modified: February 1, 2019