47d2a76f4f
7 changes to exploits/shellcodes OpenVPN Private Tunnel 2.8.4 - 'ovpnagent' Unquoted Service Path Nostromo - Directory Traversal Remote Command Execution (Metasploit) TheJshen contentManagementSystem 1.04 - 'id' SQL Injection ownCloud 10.3.0 stable - Cross-Site Request Forgery Apache Solr 8.2.0 - Remote Code Execution
39 lines
No EOL
1.4 KiB
Text
39 lines
No EOL
1.4 KiB
Text
# Title: OpenVPN Private Tunnel 2.8.4 - 'ovpnagent' Unquoted Service Path
|
|
# Author: Sainadh Jamalpur
|
|
# Date: 2019-10-31
|
|
# Vendor Homepage: https://openvpn.net/
|
|
# Software Link: https://swupdate.openvpn.org/privatetunnel/client/privatetunnel-win-2.8.exe
|
|
# Version : PrivateTunnel v2.8.4
|
|
# Tested on: Windows 10 64bit(EN)
|
|
# CVE : N/A
|
|
|
|
# =====================================================
|
|
# 1. Description:
|
|
# Unquoted service paths in OpenVPN Private Tunnel v2.8.4 have an unquoted service path.
|
|
|
|
#PoC
|
|
===========
|
|
C:\>sc qc ovpnagent
|
|
[SC] QueryServiceConfig SUCCESS
|
|
|
|
SERVICE_NAME: ovpnagent
|
|
TYPE : 10 WIN32_OWN_PROCESS
|
|
START_TYPE : 2 AUTO_START
|
|
ERROR_CONTROL : 1 NORMAL
|
|
BINARY_PATH_NAME : C:\Program Files (x86)\OpenVPN
|
|
Technologies\PrivateTunnel\ovpnagent.exe
|
|
LOAD_ORDER_GROUP :
|
|
TAG : 0
|
|
DISPLAY_NAME : OpenVPN Agent
|
|
DEPENDENCIES :
|
|
SERVICE_START_NAME : LocalSystem
|
|
|
|
C:\>
|
|
|
|
#Exploit:
|
|
============
|
|
A successful attempt would require the local user to be able to insert
|
|
their code in the system root path undetected by the OS or other
|
|
security applications where it could potentially be executed during
|
|
application startup or reboot. If successful, the local user's code
|
|
would execute with the elevated privileges of the application. |