Switchvpn for macos 2.1012.03 privilege escalation Vulnerability / Exploit
/
/
/
Exploits / Vulnerability Discovered : 2018-11-14 |
Type : local |
Platform : macos
This exploit / vulnerability Switchvpn for macos 2.1012.03 privilege escalation is for educational purposes only and if it is used you will do on your own risk!
Vendor description:
-------------------
"By 2015 we were frustrated that the free internet we loved was under
threat.
As experts in online security we believed we could solve this problem. So we
came together as a team to make SwitchVPN, a simple and powerful app to keep
the internet free. SwitchVPN is simple. Install it on your phone, tablet or
laptop, then just switch it on to keep the internet free. SwitchVPN is
powerful.
Our exclusive VPN Service technology is constantly being upgraded by a
dedicated
team of internet security experts."
Source: https://switchvpn.net/
Business recommendation:
------------------------
By exploiting the vulnerability documented in this advisory, an attacker
can fully compromise a MacOS system with an installation of the SwitchVPN
client.
Users are urged to uninstall the SwitchVPN client for MacOS until the
issues have
been fixed.
After installation or an update, the script "fix_permissions.sh" is run by
the application. This script changes the owner of the main application
binaries
to root and sets them to world-writable. Additionally, the SUID bit is set
for
another sensitive binary in the application folder. This configuration
makes it
very easy to escalate privileges to root.
After the installation or update of SwitchVPN, the following script is run:
After statically analysing the "SwitchVPN" binary, it became clear, that it
runs the "compose8" SUID root binary. Further analysis showed, that
"compose8"
subsequently runs the "SwitchVPN_GUI" binary and since it's world-writable,
an
attacker can exploit the situation to escalate privileges.
Running the "SwitchVPN" binary from the command line confirms the issue:
============================================================================================
./SwitchVPN
This app (compose8) invoked with args:
/Applications/SwitchVPN/SwitchVPN.app/Contents/MacOS, SwitchVPN
Compose8 will invoke GUI app
/Applications/SwitchVPN/SwitchVPN.app/Contents/MacOS/SwitchVPN_GUI,
SwitchVPN_GUI
============================================================================================
Proof of concept:
-----------------
1) Privilege Escalation Vulnerability
A situation like the one described above provides a wide range of
possibilities for escalating privileges to root. A quick and easy way is to
write the following shell script to "SwitchVPN_GUI":
Copy the shell binary to an attacker controlled location (e.g. /tmp).
Start the "SwitchVPN.app" as a local, unprivileged user. Afterwards the
execution of /tmp/shell will drop the user/attacker to a root shell:
bash-3.2$ whoami
b
bash-3.2$ ./shell
bash-3.2# whoami
root
============================================================================================
Vulnerable / tested versions:
-----------------------------
The following version has been tested and found to be vulnerable: 2.1012.03.
Earlier versions might be vulnerable as well.
Vendor contact timeline:
------------------------
2018-10-04: Requested security contact via https://switchvpn.net
2018-10-10: Contacted vendor through mark@switchvpn.com
2018-10-17: Requested status update from vendor
2018-10-30: Sent new contact details & public PGP key to mark@switchvpn.com
2018-10-31: Requested status update from vendor
2018-11-12: Informed vendor about advisory release
Solution:
---------
None.
Workaround:
-----------
None.
EOF B. Leitner / @2018
Switchvpn for macos 2.1012.03 privilege escalation