New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Trivially exploitable priviledge escalation to root vulnerability #113
Comments
|
@koraa Thanks for your solid advice. I will try to fix it. |
|
@yuezk Feel free to ping me any time; I'll be happy to perform a security review of the fix or answer any questions that may arise! |
|
|
|
Hi @koraa, below is my understanding, correct me if I were wrong. Thanks.
|
|
That sounds good. I would still disable dbus activation, yes. |
|
Thanks for a really god job, but #113 is unfortunately a showstopper for my organization. |
|
The OpenConnect extension for Gnome doesn't require the root privilege. I will refer to its implementation. |
|
@koraa I moved the configuration to ❯ ls -l /etc/gpservice/gp.conf
-rw-r--r-- 1 root root 423 5月 8 21:42 /etc/gpservice/gp.confMore details about the configuration can be found at https://github.com/yuezk/GlobalProtect-openconnect/wiki/Configuration. Do you have any concerns about it? |
|
@yuezk That sounds good! Where was it before? |
|
Previously, the extra arguments for OpenConnect are configured in the settings dialog (the values are saved in At the same time, the user can edit |
|
That sounds like a good fix to me! |
|
Fixed in 1.4.3 |
|
Does this fix https://nvd.nist.gov/vuln/detail/CVE-2021-45809 ? If yes, it may be worth updating the CVE to indicate that this is fixed in v>1.4.3 |
|
@TS-CUBED Yes. Just submitted the request for updating the description. |
The way GlobalProtect-Openconnect is set up enables arbitrary users to execute commands as root:
Install the payload; in this case, a demonstration payload installing itself to /usr/bin/GROOT
Specify openconnect parameters:
--script=/tmp/grootLog into any VPN service
This vulnerability can be executed by any user, even a "nobody" user covertly by sending commands to the
com.yuezk.qt.GPService.This vulnerability can be executed by a user with keyboard access to install a rootkit using the GUI you provided.
This vulnerability can be executed as soon as openconnect-globalprotect is installed; even if the gpservice.service systemd service has not been started as the unit file specifies:
BusName=com.yuezk.qt.GPService. I had to explicitly mask the service to mitigate the vulnerability.As such, it leaves any host who even has the program installed highly vulnerable; this is the worst case among privilege escalation vulnerabilities.
For a secure-by-default configuration, openconnect-global needs to be updated, so administrator approval is needed to allow specific globalprotect servers or a change in command line parameters.
I propose a root-editable configuration file /etc/openconnect-globalprotect.conf with the following syntax
This entry allows the user karolin to connect to any vpn servers with a domain suffix vpn.cupdev.net and the specified openconnect parameters.
Groups may be specified by prefixing the user with
%.The app could implement a config-editing feature, allowing users to edit the configuration graphically after specifying the administrator password.
I would also suggest disabling systemd dbus activation altogether just to avoid the entire issue of a security bug sticking around even with a stopped unit.
Thank you for all your hard work!
The text was updated successfully, but these errors were encountered: