Blog & News

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Title
=====

SCHUTZWERK-SA-2023-002: Local privilege escalation in saConnect/saConnectService by Secadm GmbH - now enthus

Status
======

PUBLISHED

Version
=======

1.0

CVE reference
=============

Not applicable since affected software is not publicly available.

Link
====

https://www.schutzwerk.com/advisories/schutzwerk-sa-2023-002/

Text-only version:
https://www.schutzwerk.com/advisories/SCHUTZWERK-SA-2023-002.txt

Affected products/vendor
========================

Custom OpenVPN client, saConnect/saConnectService by Secadm GmbH - now enthus

Summary
=======

A local privilege escalation in the saConnectService, an OpenVPN-based VPN client, from Secadm GmbH was discovered.
OpenVPN configuration parameters can be set by a low privileged user via a .NET Remoting IPC[0] call served by the saConnectService.
This allows to execute arbitrary commands with the privilege level of the saConnectService through the route-up script of the OpenVPN connection.

Risk
====

An attacker that has access to an account which is fully configured to use the VPN connection through the saConnect application is able to exploit this vulnerability.
It allows an attacker to escalate the privileges to the privilege level of the saConnectService.

Depending on how the saConnectService is configured this may lead to the highest privilege level on the local system (NT Authority\System).  In the scenario where this vulnerability was discovered, it was possible to fully compromise the host system.

An attacker with basic knowledge in C# and understanding of OpenVPN configurations may find this vulnerability with medium to high effort. To find the vulnerabilities, an attacker might need to reverse engineer the C# executables of saConnect and saConnectService using tools like dnSpy[1] or JetBrains dotPeek[2].

To be able to exploit the vulnerability, an attacker needs to understand how the OpenVPN configuration files, namely endpoints.conf and ProxyVPN.conf, are used.  In the standard configuration, neither the file endpoints.conf nor the main OpenVPN configuration file (ProxyVPN.conf) is visible/accessible to a low privileged user.

Description
===========

A company notebook device assessed by SCHUTZWERK for security vulnerabilities was found to contain a local privilege escalation vulnerability in the custom VPN client.
The VPN client, which is part of Secadm GmbH consulting portfolio (Home-Office und Remote Arbeitsplätze)[3], is a convenience software based on OpenVPN which, among other things, automatically detects and connects to the best VPN endpoint based on quality measurements.
The software uses an OpenVPN deamon embedded within saConnectService to establish the connection which is installed as a Windows service.

Through reverse engineering of the .NET based applications saConnect and saConnectService, SCHUTZWERK discovered the .NET Remoting IPC[0] interface which is used to communicate between these two applications.

Understanding the IPC communication
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

It showed that saConnect calls the remote functions SetOpenVPNEndpoints and StartOpenVPNServer on the saConnectService via a .NET remoting IPC channel, to configure and start the OpenVPN connection.
Thereby, SetOpenVPNEndpoints writes a configuration string in a file endpoints.conf which is only accessible by higher privileged users.
As seen below, the "endpoints.conf" is used as an additional configuration file ('--config' flag of the OpenVPN command line[4]) in the main OpenVPN configuration file, used by the OpenVPN deamon.

ProxyVPN.conf (main OpenVPN configuration file):
[...]
# remote VPN Server IP / Data
config endpoints.conf
[...]

The intended use of SetOpenVPNEndpoints is to set the best OpenVPN endpoint as a connection target which was evaluated via connection quality measurements within saConnect.

SCHUTZWERK discovered that the configuration string which is sent to SetOpenVPNEndpoints as a parameter is written into the file endpoints.conf without modification or filtering. This allows to set arbitrary configuration parameters that are applied to the main OpenVPN configuration file.

Manipulating the OpenVPN configuration
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

By adding two configuration lines (script-security, route-up)[4] that allow calling user-defined scripts it is possible to configure a batch script that executes after successful authentication during the VPN connection.
Through that, code execution in the context of saConnectService can be achieved, if the OpenVPN connection successfully connects to the remote endpoint using the manipulated endpoints.conf.

POC implementation that writes to the endpoints.conf file:
[...]
StringBuilder stringBuilder = new StringBuilder();
stringBuilder.AppendLine("remote <redacted-ip> 445 udp");
stringBuilder.AppendLine("cryptoapicert 'THUMB:<Thumbprint of the certificate in the Windows Certificate System Store>'");

// configuration lines that enable code execution
stringBuilder.AppendLine("script-security 2");
stringBuilder.AppendLine("route-up 'C:\\\\tmp\\\\exec.bat'");

ServiceWrapper.getService().SetOpenVPNEndpoints(stringBuilder.ToString());
[...]

The saConnect application overrides the endpoints.conf file on each connection. To execute the code, a POC application must be developed that performs the steps required to successfully launch the VPN connection.

Path to a one-click PoC exploit
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

In order to establish a connection, the POC application first needs to call the StartOpenVPNServer function on saConnectService to start the embedded OpenVPN deamon. Additionally, because the main OpenVPN configuration configured the management-hold[4] flag, which starts OpenVPN in a hibernating state, the PoC needs to call 'hold release' on the OpenVPN management interface[5].
This tells the OpenVPN deamon to start the connection.

As configured in ProxyVPN.conf, the OpenVPN management interface is configured to listen on localhost port 19334 which requires a password to communicate with.

ProxyVPN.conf (main OpenVPN configuration file):
[...]
# Start OpenVPN in a hibernating state, until a client
# of the management interface explicitly starts it.
management-hold

# Enable a TCP server on ip:port to handle
# management functions.  pass is a password file
# or 'stdin' to prompt from console.
;management ip port [pass]
management 127.0.0.1 19334 sa/mgmt-pass.txt
[...]

The password used to authenticate against the OpenVPN management interface was found to be statically compiled into the saConnect binary. This allows to authenticate to the management interface and issue the required 'hold release' command.

With the ability to write arbitrary configuration flags into the endpoints.conf file and to control the OpenVPN management interface, a one-click C# PoC can be created to exploit this vulnerability.

Solution/Mitigation
===================

The vulnerability can be mitigated by introducting a whitelist that limits the configuration parameters passed to the SetOpenVPNEndpoints call in the IPC interface to the ones that are actually needed. This will exclude the configuration parameters (route-up, route-down up, down, script-security...)[4] that can be used to execute scripts in the context of the saConnectService.

Since Secadm GmbH (now enthus) did not provide a version number of the fixed version, please contact entus [6] if you are unsure that you are using the version containing the fix.

Disclosure timeline
===================

2023-05-24: Vulnerability discovered
2023-05-30: Request to the customer to find a contact person at the manufacturer
2023-06-11: Initial contact with manufacturer via customer contact person
2023-06-15: Reply from the manufacturer with a request for more information
2023-06-16: Provision of technical information to trace the security vulnerability
2023-06-26: Inquire with the manufacturer about the current status and plan for patch release
2023-06-28: Bug has been fixed and new version created. Preparation for rollout plan underway
2023-09-14: Contact the manufacturer to find out the status of the customer's patch rollout
2023-09-23: Reply from the customer that rollout completion is planned by the end of September 2023
2023-11-29: Customer informed that rollout of the patch is completed
2024-07-01: Advisory released

Contact/Credits
===============

The vulnerability was discovered during an assessment by Marvin Louis and Moritz Öhrlein of SCHUTZWERK GmbH.

References
==========
[0] https://learn.microsoft.com/de-de/dotnet/api/system.runtime.remoting.channels.ipc?view=netframework-4.8.1
[1] https://github.com/dnSpy/dnSpy
[2] https://www.jetbrains.com/de-de/decompiler/
[3] https://secadm.de/consulting.html
[4] https://openvpn.net/community-resources/reference-manual-for-openvpn-2-4/
[5] https://openvpn.net/community-resources/management-interface/
[6] https://enthus.de/


Disclaimer
==========

The information provided in this security advisory is provided "as is" and without warranty of any kind. Details of this security advisory may be updated in order to provide as accurate information as possible. The most recent version of this security advisory can be found at SCHUTZWERK GmbH's website ( https://www.schutzwerk.com ).

Additional information
======================

SCHUTZWERK Advisories: https://www.schutzwerk.com/blog/tags/advisories/

SCHUTZWERK Advisory Policy: https://www.schutzwerk.com/en/advisories/
-----BEGIN PGP SIGNATURE-----

iQJOBAEBCgA4FiEEgLsg7Oj/wY3LSF87GrXfkTIXLrsFAmaCwZgaHGFkdmlzb3Jp
ZXNAc2NodXR6d2Vyay5jb20ACgkQGrXfkTIXLrtHog//bq4xaLODG1weyxdjQTsU
P7jPoh0Xgr5goYXQXC5yF8hp7ynPeCqPtCoC+FeDTYDXvpeFenZJRT59ts69TzGY
+fKd/mcxi0T88c+veZilwX+bBzN7UhDvOpnwPjmXG8j6E1Zj05U6VRCgHKxQyyjX
nwr1KhLESgvPkLV8QSkgQb6vzQvoqEMK2Ync0WD895aeH7ZMKLTV04b1LzEMt3UV
4+oVgiL7crG55aRHYYPwgVtluXLanP03QCAORgM/5Wf4WSrvkqlE7PiBpyYI2J6z
+tKBaoIXNXXhfvzeCiyoUTEPDZ21ynXu0LyhiXtJ0wt+U9SKVCAOx3Iw5HP7O0hj
ZlTrtg0waW0SvKMvffvSqjGzJTORtfqjsgPyvkI+4AA4ZKB91jqxdU2dxZxqIhq8
2Y+OVbnGccu2n/Xlf8a8yeRhNPLroJJveO2RlUZ76/au1WEdOmd/hLmkXsWDptAk
8pCCHCE/K8ttXZhxam+xCojpU5Nw5LTAtCxCau0asbEe6NBIOYTTimetaj/Cwxc8
vavxj46yjIoGcePwthdWWqiPp382/rXDCyzAgb8IPvKjK0KC+dykUYISetTxwnQl
iuk6JXNXRJHJCcUTvz7JCQQEh13TdC3jFU+sftTser3VgpK8pdwQbMCytLKNC6Tk
O9PIHbbwpptP4k6VyWkbYys=
=KzSk
-----END PGP SIGNATURE-----