IVPN Client runs as SYSTEM process.
It’s main role is starting
Standard user cannot change path and executable which points to
But he can write to
openvpn.conf using service.
Service reads data from socket, parse it and save to
GenerateConfiguration method there is bug which leads to comand injection:
We can use this for Privilege Escalation because of
--up switch from
Proof of Concept:
This will create:
- 14-01-2017: Discovered
- 14-01-2017: Vendor notified
- 16-01-2017: Version 2.6.2 released, issue resolved