A new vulnerability in the VPN service SaferVPN is discovered that could allow for local privilege escalation on Windows systems. The researcher mmht3t disovered this vulnerability and briefly exploited as below:
- When SaferVPN attempts to connect to a VPN server it spawns the OpenVPN executable in the context of NT AUTHORITY\SYSTEM;
- The VPN then tries to load an openssl.cnf configuration file from a non-existing folder (C:\etc\ssl\openssl.cnf);
- This will allow a low-privileged users is able to create folders under C:\ on Windows, and it’s possible for them to create the appropriate path and place a crafted openssl.cnf file in it;
- Once OpenVPN starts in SaferVPN, this file can load a malicious OpenSSL engine library which results in arbitrary code execution as SYSTEM.
About the Author
The opinions expressed in this post belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.
