A new vulnerability in the VPN service SaferVPN is discovered that could allow for local privilege escalation on Windows systems. The researcher mmht3t disovered this vulnerability and briefly exploited as below:
- When SaferVPN attempts to connect to a VPN server it spawns the OpenVPN executable in the context of NT AUTHORITY\SYSTEM;
- The VPN then tries to load an openssl.cnf configuration file from a non-existing folder (C:\etc\ssl\openssl.cnf);
- This will allow a low-privileged users is able to create folders under C:\ on Windows, and it’s possible for them to create the appropriate path and place a crafted openssl.cnf file in it;
- Once OpenVPN starts in SaferVPN, this file can load a malicious OpenSSL engine library which results in arbitrary code execution as SYSTEM.