Allele Security Alert
ASA-2018-00028
Identifier(s)
ASA-2018-00028, CVE-2018-18858
Title
OS Command Injection
Vendor(s)
LiquidVPN
Product(s)
LiquidVPN for macOS
Affected version(s)
LiquidVPN 1.37, 1.36 and earlier
Fixed version(s)
Unknown
Proof of concept
Unknown
Description
LiquidVPN installs the helper tool “com.smr.liquidvpn.OVPNHelper” for performing privileged (root) actions. In order to allow other LiquidVPN components to send messages to the helper tool, it implements an XPC service. Static code analysis showed, that the XPC service does not filter incoming messages. This means, regular users (local attackers) can craft arbitrary XPC messages and send them to the service.
Technical details
If the service detects the “openvpn” parameter in a message, it also checks if the parameters “tun_path” or “tap_path” exist. If one of them (or both) are found, the values are used as source paths for a copy process using the system() function. However, the paths are not sanitized before being passed to system():
--- ... __text:00000001000013CD lea rsi, aPathTun ; "path_tun" __text:00000001000013D4 mov rdi, rbx __text:00000001000013D7 call _xpc_dictionary_get_string __text:00000001000013DC mov r14, rax __text:00000001000013DF lea rsi, aPathTap ; "path_tap" __text:00000001000013E6 mov rdi, rbx __text:00000001000013E9 call _xpc_dictionary_get_string ... __text:000000010000143F call _strcat __text:0000000100001444 mov rdi, rbx ; char * __text:0000000100001447 call _strlen ... __text:0000000100001497 mov rdi, rbx ; char * __text:000000010000149A call _system ... ---
The following proof of concept can be used to execute arbitrary system commands:
--- ... xpc_dictionary_set_string(message, "cmd", "openvpn"); xpc_dictionary_set_string(message, "path_tun", "/tmp/__dummy00_;[ARBITRARY CMD]"); ... ---
Credits
Bernd Leitner
Reference(s)
Multiple Privilege Escalation Vulnerabilities in LiquidVPN for MacOS (CVE-2018-18856, CVE-2018-18857, CVE-2018-18858, CVE-2018-18859)
https://seclists.org/fulldisclosure/2018/Nov/1
CVE-2018-18858
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-18858
CVE-2018-18858
https://nvd.nist.gov/vuln/detail/CVE-2018-18858
If there is any error in this alert or you wish a comprehensive analysis, let us know.
Last modified: February 1, 2019