header-logo
Suggest Exploit
vendor:
OpenVPN Private Tunnel
by:
Sainadh Jamalpur
7.5
CVSS
HIGH
Unquoted service path
426
CWE
Product Name: OpenVPN Private Tunnel
Affected Version From: 2.8.2004
Affected Version To: 2.8.2004
Patch Exists: NO
Related CWE:
CPE: a:openvpn_technologies:privatetunnel:2.8.4
Metasploit:
Other Scripts:
Platforms Tested: Windows 10 64bit
2019

OpenVPN Private Tunnel 2.8.4 – ‘ovpnagent’ Unquoted Service Path

Unquoted service paths in OpenVPN Private Tunnel v2.8.4 have an unquoted service path. A successful attempt would require the local user to be able to insert their code in the system root path undetected by the OS or other security applications where it could potentially be executed during application startup or reboot. If successful, the local user's code would execute with the elevated privileges of the application.

Mitigation:

Update to the latest version of OpenVPN Private Tunnel. Ensure that service paths are properly quoted to prevent this vulnerability.
Source

Exploit-DB raw data:

# Title: OpenVPN Private Tunnel 2.8.4 - 'ovpnagent' Unquoted Service Path
# Author: Sainadh Jamalpur
# Date: 2019-10-31
# Vendor Homepage: https://openvpn.net/
# Software Link: https://swupdate.openvpn.org/privatetunnel/client/privatetunnel-win-2.8.exe
# Version : PrivateTunnel v2.8.4
# Tested on: Windows 10 64bit(EN)
# CVE : N/A

# =====================================================
# 1. Description:
# Unquoted service paths in OpenVPN Private Tunnel v2.8.4 have an unquoted service path.

#PoC
===========
C:\>sc qc ovpnagent
[SC] QueryServiceConfig SUCCESS

SERVICE_NAME: ovpnagent
        TYPE               : 10  WIN32_OWN_PROCESS
        START_TYPE         : 2   AUTO_START
        ERROR_CONTROL      : 1   NORMAL
        BINARY_PATH_NAME   : C:\Program Files (x86)\OpenVPN
Technologies\PrivateTunnel\ovpnagent.exe
        LOAD_ORDER_GROUP   :
        TAG                : 0
        DISPLAY_NAME       : OpenVPN Agent
        DEPENDENCIES       :
        SERVICE_START_NAME : LocalSystem

C:\>

#Exploit:
============
A successful attempt would require the local user to be able to insert
their code in the system root path undetected by the OS or other
security applications where it could potentially be executed during
application startup or reboot. If successful, the local user's code
would execute with the elevated privileges of the application.

Navigation

Suggest Exploit

Services By CQR