Linux client - Lack of certificate validation leading to RCE

Disclosed by
mmmdspl's avatar
mmmdspl
  • Engagement CyberGhost
  • Disclosed date about 2 years ago
  • Points 40
  • Priority P1 Bugcrowd's VRT priority rating
  • Status Resolved This vulnerability has been accepted and fixed
Summary by CyberGhost

While mmmdspl initially submitted this vulnerability through our Vulnerability Disclosure Program, we immediately recognized the value of his research into our application and wanted to ensure he was rewarded for it so we asked him to submit to our bug bounty program. We greatly appreciate his efforts to identify this remote code execution weakness in our Linux client application.

Summary by mmmdspl

Linux client has two bugs: lack of certificate validation while connecting to wireguard-related API and command injection. Together, successful man-in-the-middle attack can result in code execution on a machine connecting to wireguard.

Activity
  1. Brenton’s avatar
    Brenton Customer published the disclosure report

    ()

  2. Brenton’s avatar
    Brenton Customer sent a message

    ()

  3. mmmdspl’s avatar
    mmmdspl sent a message

    ()

  4. mmmdspl’s avatar
    mmmdspl sent a message

    ()

  5. mmmdspl’s avatar
    mmmdspl sent a message

    ()

  6. Brenton’s avatar
    Brenton Customer sent a message

    ()Edited

  7. mmmdspl’s avatar
    mmmdspl sent a message

    ()

  8. Brenton’s avatar
    Brenton Customer sent a message

    ()

  9. Brenton’s avatar
    Brenton Customer sent a message

    ()

  10. mmmdspl’s avatar
    mmmdspl sent a message

    ()

  11. Brenton’s avatar
    Brenton Customer sent a message

    ()

  12. mmmdspl’s avatar
    mmmdspl sent a message

    ()

  13. Brenton’s avatar
    Brenton Customer sent a message

    ()

  14. mmmdspl’s avatar
    mmmdspl sent a message

    ()

  15. Brenton’s avatar
    Brenton Customer sent a message

    ()

  16. Tim’s avatar
    Tim Customer sent a message

    ()

  17. mmmdspl’s avatar
    mmmdspl requested disclosure

    ()

  18. mmmdspl’s avatar
    mmmdspl sent a message

    ()

  19. Tim’s avatar
    Tim Customer sent a message

    ()

  20. mmmdspl’s avatar
    mmmdspl sent a message

    ()

  21. Tim’s avatar
    Tim Customer sent a message

    ()

  22. Tim’s avatar
    Tim Customer changed the state to Resolved

    ()

  23. Tim’s avatar
    Tim Customer sent a message

    ()

  24. Tim’s avatar
    Tim Customer sent a message

    ()

  25. mmmdspl’s avatar
    mmmdspl sent a message

    ()

  26. Tim’s avatar
    Tim Customer rewarded mmmdspl

    ()

  27. Tim’s avatar
    Tim Customer sent a message

    ()

  28. Tim’s avatar
    Tim Customer changed the state to Unresolved

    ()

  29. Tim’s avatar
    Tim Customer rewarded mmmdspl 40 points

    ()

  30. Brenton’s avatar
    Brenton Customer sent a message

    ()

  31. Brenton’s avatar
    Brenton Customer changed the severity to P1

    ()

  32. Brenton’s avatar
    Brenton Customer changed the state to Triaged

    ()

  33. mmmdspl’s avatar
    mmmdspl created the submission

    ()