Vulnerability Summary

When the SaferVPN attempts to connect to a VPN server, it spawns the openvpn.exe (C:\Program Files (x86)\SaferVPN for Windows\bin\openvpn.exe) in the context of NT AUTHORITY\SYSTEM. It tries to load an openssl.cnf configuration file from a non-existing folder (C:\etc\ssl\openssl.cnf). Because a low-privileged user is allowed to create folders under C:\, it’s possible for the user to create the appropriate path and place the crafted openssl.cnf file in it. Once the openvpn.exe service starts, the openssl.cnf file will load a malicious OpenSSL engine library resulting in arbitrary code execution as SYSTEM.

SaferVPN does not fix this vulnerability even after a 90-day disclosure…


Description

SaferVPN for Windows can be forced to overwrite an arbitrary file. SaferVPN for Windows spawns openvpn.exe which runs with SYSTEM privileges, and the openvpn.exe process creates a log file named xxx_ovpn.log under %USERPROFILE%\AppData\Local\SaferVPN\Log (xxx is the name of the country you are connecting to, for example, Albania_ovpn.log). Since the user has full control over the log folder, it is possible to delete all files under the log folder and create a symbolic link pointing to a high privileged file such as C:\Windows\win.ini. As a result, the contents of the log file created by the openvpn.exe will be overwritten on the…

nmht3t

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store