Allele Security Alert
ASA-2018-00027
Identifier(s)
ASA-2018-00027, CVE-2018-18856
Title
“openvpncmd” Privilege Escalation
Vendor(s)
LiquidVPN
Product(s)
LiquidVPN for macOS
Affected version(s)
LiquidVPN 1.37, 1.36 and earlier
Fixed version(s)
Unknown
Proof of concept
Unknown
Description
LiquidVPN installs the helper tool “com.smr.liquidvpn.OVPNHelper” for performing privileged (root) actions. In order to allow other LiquidVPN components to send messages to the helper tool, it implements an XPC service. Static code analysis showed, that the XPC service does not filter incoming messages. This means, regular users (local attackers) can craft arbitrary XPC messages and send them to the service.
Technical details
The service checks if the “openvpn” parameter exists. If it does, the “openvpncmd” parameter is extracted and passed on to a system() call as an argument:
--- ... __text:00000001000013F1 lea rsi, aOpenvpncmd ;"openvpncmd" __text:00000001000013F8 mov rdi, rbx __text:00000001000013FB call _xpc_dictionary_get_string ... __text:000000010000166A mov rdi, r15 ; char * __text:000000010000166D call _system __text:0000000100001672 lea rsi, aReply ; "reply" __text:0000000100001679 lea rdx, aOpenvpnCommand ;"openvpn command executed (ver 3)" __text:0000000100001680 mov rdi, r12 __text:0000000100001683 call _xpc_dictionary_set_string ... ---
The following proof of concept can be used to execute arbitrary system commands:
--- ... xpc_dictionary_set_string(message, "cmd", "openvpn"); xpc_dictionary_set_string(message, "openvpncmd", "[ARBITRARY CMD]"); ... ---
Credits
Bernd Leitner
Reference(s)
Multiple Privilege Escalation Vulnerabilities in LiquidVPN for MacOS (CVE-2018-18856, CVE-2018-18857, CVE-2018-18858, CVE-2018-18859)
https://seclists.org/fulldisclosure/2018/Nov/1
CVE-2018-18856
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-18856
CVE-2018-18856
https://nvd.nist.gov/vuln/detail/CVE-2018-18856
If there is any error in this alert or you wish a comprehensive analysis, let us know.
Last modified: February 1, 2019