When the SaferVPN attempts to connect to a VPN server, it spawns the openvpn.exe (
C:\Program Files (x86)\SaferVPN for Windows\bin\openvpn.exe) in the context of NT AUTHORITY\SYSTEM. It tries to load an openssl.cnf configuration file from a non-existing folder (C:\etc\ssl\openssl.cnf). Because a low-privileged user is allowed to create folders under C:\, it’s possible for the user to create the appropriate path and place the crafted openssl.cnf file in it. Once the openvpn.exe service starts, the openssl.cnf file will load a malicious OpenSSL engine library resulting in arbitrary code execution as SYSTEM.
SaferVPN does not fix this vulnerability even after a 90-day disclosure…
SaferVPN for Windows can be forced to overwrite an arbitrary file. SaferVPN for Windows spawns openvpn.exe which runs with SYSTEM privileges, and the openvpn.exe process creates a log file named
%USERPROFILE%\AppData\Local\SaferVPN\Log (xxx is the name of the country you are connecting to, for example,
Albania_ovpn.log). Since the user has full control over the log folder, it is possible to delete all files under the log folder and create a symbolic link pointing to a high privileged file such as
C:\Windows\win.ini. As a result, the contents of the log file created by the openvpn.exe will be overwritten on the…