CyberGhost VPN, a popular virtual private network (VPN) solution provider, has recently addressed a command injection vulnerability that could have potentially compromised its Windows users’ systems. This flaw is filed under CVE-2023-30237. Ceri Coburn, a researcher from the UK-based security research firm Pen Test Partners, discovered the flaw.
Many VPN providers, including CyberGhost, utilize solutions like OpenVPN or Wireguard to offer VPN services to their customers. These VPN solutions are generally divided into an unprivileged UI component and a privileged Windows service running as SYSTEM. If not adequately examined, this communication channel can lead to the elevation of privilege vulnerabilities.
In the case of CyberGhost, this communication occurs over a named pipe called MachineNameCyberGhost8Service, where the machine name refers to the system running the service. Only local privilege escalation would be possible, as the NETWORK principal has a deny ACL set, preventing the pipe from being accessed over the network.
Coburn found that the Dashboard.exe process could be bypassed or replaced, allowing unauthorized access to the pipe. The researcher then investigated the communication protocol and discovered that JSON RPC was used. While the developers had taken proper precautions to prevent arbitrary .NET types from being created during JSON deserialization, Coburn shifted his focus to the callable methods.
The ConnectToVpnServer method, responsible for constructing the command line string fed to openvpn.exe or the Wireguard DLL, proved most interesting. Despite developers’ efforts to prevent command line injection, Coburn found a way to exploit the CommandLineToArgvW API, causing CyberGhost to ignore certain arguments and treat them as openvpn argument values instead of argument specifiers.
The payload sent over the named pipe allowed Coburn to gain code execution by leveraging openvpn’s plugin feature. The CVE-2023-30237 vulnerability was addressed in the 8.3.10.10015 version of CyberGhost, released on February 24, 2023. It remains unclear whether the patch was pushed to endpoints running earlier software versions or if customers need to update instances of the software themselves. Users can download updates to the latest version of CyberGhost through the company’s website.
Via: scmagazine
