CVE-2018-4008: TALOS-2018-0677 || Cisco Talos Intelligence Group

Summary

An exploitable privilege escalation vulnerability exists in the Shimo VPN 4.1.5.1 helper service in the RunVpncScript command. The command takes a user-supplied script argument and executes it under root context. A user with local access can use this vulnerability to raise their privileges to root. An attacker would need local access to the machine to successfully exploit this bug.

Tested Versions

Shimo VPN 4.1.5.1

Product URLs

https://www.shimovpn.com/

CVSSv3 Score

9.3 - CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

CWE

CWE-19: Improper Input Validation

Details

Shimo VPN is a VPN client for Mac OSX used to connect to multiple VPN accounts in one place. The application uses what is defined as a “Helper Tool” to do some of the privileged work on its behalf. The helper tool is installed as root when the application is first installed and is a LaunchD daemon, meaning it will be restarted if it is killed. The service listens using:

v3 = objc_msgSend(&OBJC_CLASS___NSXPCListener, "alloc");
v4 = objc_msgSend(v3, "initWithMachServiceName:", CFSTR("com.feingeist.shimo.helper"));

The second argument registers the string passed in as a service and tells it to begin listening. The service can then be connected to using Objective-C XPC calls. A similar section of code needs to be execute to connect a client to this service.

 v8 = objc_msgSend(v7, "initWithMachServiceName:options:", CFSTR("com.feingeist.shimo.helper"), 4096LL); [1]
  v11 = objc_msgSend(
          &OBJC_CLASS___NSXPCInterface,
          "interfaceWithProtocol:",
          &OBJC_PROTOCOL___ShimoHelperToolProtocol);                                                      [2]

At [1], the same call as the one above is used, except this time, the options variable is used to signify that the client is connecting rather than listening. At [2], a special protocol is passed in that defines all the functions available to the client. The server must have the same protocol defined in order for these calls to work. We can begin to see the vulnerabilities arise by looking at the protocol.

The first function in the provided protocol is called runVpncScript:withReason:withReply. The relevant code is shown below.

  v9 = objc_msgSend(arg_2, "UTF8String");                                      
  v11 = objc_msgSend(arg_4, "UTF8String"); 
  syslog(5, "Running vpnc script '%s' in helper with reason '%s'.", v9, v11);  [3]

  LOBYTE(v9) = objc_msgSend(v13, "fileExistsAtPath:", v43);
  if ( v9 )
  {
    
    (objc_msgSend)(v28, "setObject:forKeyedSubscript:", v42, CFSTR("reason"));
    (objc_msgSend)(v20, "setEnvironment:", v28);
    (objc_msgSend)(v20, "launch");                                             [4]
    (objc_msgSend)(v20, "waitUntilExit");
    v29 = v40;
    if ( (objc_msgSend)(v20, "terminationStatus") )
    {
      v30 = objc_msgSend(
              &OBJC_CLASS___NSError,
              "errorWithShimoErrorCode:withMessage:",
              72LL,
              CFSTR("Could not run vpnc script."));
      v31 = objc_retainAutoreleasedReturnValue(v30);
      objc_release(v40);
      v29 = v31;

Location [3] shows two passed-in arguments being used in a logging function and the log states the first one will be the location of the script to be executed. At location [4], this script is launched and the contents are executed as the root user. There are no validation checks to the owner or path of this file and thus any file can be passed in and be executed as root, creating a privilege escalation situation.

Timeline

2018-09-21 - Vendor Disclosure
2018-09-22 - Vendor acknowledged and gave main developer contact
2018-09-26 - Reports sent to main developer
2018-10-08 - First follow up
2018-11-09 - 2nd follow up
2018-12-04 - 3rd follow up
2019-03-14 - Final follow up for public disclosure
2019-04-15 - Zero day/Public release

Discovered by Tyler Bohan of Cisco Talos.