[CVE-2020–25744] SaferVPN for Windows Arbitrary File Overwrite DoS

Description

2 min readSep 16, 2020

SaferVPN for Windows can be forced to overwrite an arbitrary file. SaferVPN for Windows spawns openvpn.exe which runs with SYSTEM privileges, and the openvpn.exe process creates a log file named xxx_ovpn.log under %USERPROFILE%\AppData\Local\SaferVPN\Log (xxx is the name of the country you are connecting to, for example, Albania_ovpn.log). Since the user has full control over the log folder, it is possible to delete all files under the log folder and create a symbolic link pointing to a high privileged file such as C:\Windows\win.ini. As a result, the contents of the log file created by the openvpn.exe will be overwritten on the high privileged file. Due to the lack of control over the file’s content, the only potential attack vector is denial of service.

Exploitation

Delete files under %USERPROFILE%\AppData\Local\SaferVPN\Log\folder.
Use the CreateSymlink.exe tool from googleprojectzero’s symboliclink-testing-tools to create a symbolic link on %USERPROFILE%\AppData\Local\SaferVPN\Log\Albania_ovpn.log that points to C:\Windows\win.ini. (it should be noted that the name of the log file must be changed according to which country you are connecting to, let’s say if you connect to Austria, it should be named as Austria_ovpn.log)
Click the Connect button in SaferVPN for Windows app.
The C:\Windows\win.ini file will be overwritten with the contents of the log file.

Proof of Concept

The below screenshot shows that the openvpn.exe process reparsing the symbolic link we created when accessing the Albania_ovpn.log file and overwriting the C:\Windows\win.ini file.

Step by step PoC video

Fix

The vendor silently fixed this vulnerability in version 5.0.3.3 by not creating the Albania_ovpn.log file and the entire log folder is moved to C:\ProgramData\Mudhook Marketing, Inc\SaferVPN\Diagnostics\Service with proper permissions set.