ASA-2018-00043 – SwitchVPN: Excessive permissions for application configuration allow privilege escalation


Allele Security Alert

ASA-2018-00043

Identifier(s)

ASA-2018-00043, CVE-2018-18860

Title

Excessive permissions for application configuration allow privilege escalation

Vendor(s)

SwitchVPN

Product(s)

SwitchVPN for macOS

Affected version(s)

SwitchVPN 2.1012.03

Fixed version(s)

Unknown

Proof of concept

Unknown

Description

After installation or an update, the script “fix_permissions.sh” is run by the application. This script changes the owner of the main application binaries to root and sets them to world-writable. Additionally, the SUID bit is set for another sensitive binary in the application folder. This configuration makes it very easy to escalate privileges to root.

The script /Applications/SwitchVPN/SwitchVPN.app/Contents/MacOS/SwitchVPN_GUI is world-writeable after installation or an update and is later executed by a privilege process. Overwriting its content, because it is world-writeable, allows an attacker to perform escalation of privileges.

Technical details

Unknown

Credits

Bernd Leitner

Reference(s)

SwitchVPN MacOS Privilege Escalation Vulnerability
https://seclists.org/fulldisclosure/2018/Nov/38

CVE-2018-18860
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-18860

CVE-2018-18860
https://nvd.nist.gov/vuln/detail/CVE-2018-18860

If there is any error in this alert or you wish a comprehensive analysis, let us know.

Last modified: February 6, 2019

We are not responsible for any data loss, device corruption or any other type of issue due to the use of any information mentioned in our security alerts.