Headline
CVE-2018-4007: TALOS-2018-0676 || Cisco Talos Intelligence Group
An exploitable privilege escalation vulnerability exists in the Shimo VPN 4.1.5.1 helper service in the deleteConfig functionality. The program is able to delete any protected file on the system. An attacker would need local access to the machine to successfully exploit the bug.
Summary
An exploitable privilege escalation vulnerability exists in the Shimo VPN 4.1.5.1 helper service in the deleteConfig functionality. The program is able to delete any protected file on the system. An attacker would need local access to the machine to successfully exploit the bug.
Tested Versions
Shimo VPN 4.1.5.1
Product URLs
https://www.shimovpn.com/
CVSSv3 Score
9.0 - CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:H
CWE
CWE-19: Improper Input Validation
Details
Shimo VPN is a VPN client for Mac OSX used to connect to and manage multiple VPN accounts in one place. The application uses what is defined as a “Helper Tool” to do some of the privileged work on its behalf. The helper tool is installed as root when the application is first installed and is a LaunchD daemon, meaning it will be restarted if it is killed. The service listens using:
v3 = objc_msgSend(&OBJC_CLASS___NSXPCListener, "alloc");
v4 = objc_msgSend(v3, "initWithMachServiceName:", CFSTR("com.feingeist.shimo.helper"));
The second argument registers the string passed in as a service and tells it to begin listening. The service can then be connected to via Objective-C XPC calls. A similar section of code needs to be executed to connect ta client to this service.
v8 = objc_msgSend(v7, "initWithMachServiceName:options:", CFSTR("com.feingeist.shimo.helper"), 4096LL); [1]
v11 = objc_msgSend(
&OBJC_CLASS___NSXPCInterface,
"interfaceWithProtocol:",
&OBJC_PROTOCOL___ShimoHelperToolProtocol); [2]
At [1], the same call as above is used except this time the options variable is used to signify that the client is connecting rather than listening. At [2], a special protocol is passed in that defines all the functions available to the client. The server must have the same protocol defined in order for these calls to work. Looking at the protocol we can begin to see the vulnerabilities arise.
The vulnerable function is deleteConfigAtPath:withReply. This function takes a script path location as an argument and subsequently goes on to delete it with no privilege checks. The code is shown below.
v8 = objc_msgSend(v7, "fileExistsAtPath:", arg_3); [3]
if ( v8 )
{
objc_msgSend(v10, "removeItemAtPath:error:", arg_3, &error); [4]
}
A file path is passed in and checked for existence at location [3]. If it does exist it is deleted at [4]. This daemon runs as root and can delete any file on the system so when called by a non-privileged account, this crosses a privilege boundary and creates a privilege escalation vulnerability.
Timeline
2018-09-21 - Vendor Disclosure
2018-09-22 - Vendor acknowledged and gave main developer contact
2018-09-26 - Reports sent to main developer
2018-10-08 - First follow up
2018-11-09 - 2nd follow up
2018-12-04 - 3rd follow up
2019-03-14 - Final follow up for public disclosure
2019-04-15 - Zero day/Public release