Skip to content

OpenVPN Connect for Windows (MSI) - 3.1.0.361 - Privilege Escalation

Notifications You must be signed in to change notification settings

hessandrew/CVE-2020-9442

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

1 Commit
 
 

Repository files navigation

Exploit Title: OpenVPN Connect for Windows (MSI) - 3.1.0.361 - Privilege Escalation

Date: 2020-02-28
Author: Andrew Hess
Software Link: https://openvpn.net/client-connect-vpn-for-windows/
Version: 3.1.0.361 (MSI)
CVE: CVE-2020-9442

History

2019.12.15 - Vulnerability discovered
2019.12.15 - Initial contact with the vendor
2020.01.xx - Vendor Patch - 3.1.1 (378) beta

Release notes for 3.1.1 (378) beta

Implemented a fix for a security issue related to the location of installation files

Software description

This is the official OpenVPN Connect client software for Windows workstation platforms developed and maintained by OpenVPN Inc. This is the recommended client program for the OpenVPN Access Server to enable VPN for Windows. The latest version of OpenVPN for Windows is available on our website.

If you have an OpenVPN Access Server, it is recommended to download the OpenVPN Connect client software directly from your own Access Server, as it will then come pre configured for use for VPN for Windows. The version available here contains no configuration to make a connection, although it can be used to update an existing installation and retain settings.

Exploit description

The permissive folder permission in "C:\ProgramData\OpenVPN Connect" allows an attacker without admin rights to place a malicious DLL next to tapinstall.exe. As soon as OpenVPN client is installed or upgraded, the malicious DLL is loaded by tapinstall and the shellcode is executed.

DLLs searched by tapinstall:

DEVRTL.dll SPINF.dll drvstore.dll DEVOBJ.dll newdev.dll VCRUNTIME140.dll

Steps To Reproduce

  • Drop a malicious drvstore.dll in C:\ProgramData\OpenVPN Connect\drivers\tap\amd64\win10
  • Install openvpn-connect-3.1.0.361_signed.msi
  • Shellcode is executed with the SYSTEM account

Impact

A possible attacker obtains system privileges

About

OpenVPN Connect for Windows (MSI) - 3.1.0.361 - Privilege Escalation

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published