Low
CVE-2020-9442
CVE-2020-9442
Description
OpenVPN Connect 3.1.0.361 on Windows has Insecure Permissions for %PROGRAMDATA%\OpenVPN Connect\drivers\tap\amd64\win10, which allows local users to gain privileges by copying a malicious drvstore.dll there.
Add Assessment
Technical Analysis
Research of OpenVPN Connect 3.1.0.361 dll drop “Privilege Escalation”
This vulnerability is stated to be a Privilege escalation vulnerability. Unfortunately the droped dll of drvstore.dll in C:\ProgramData\OpenVPN Connect\drivers\tap\amd64\win10 is only executed when the openvpn-connect-3.1.0.361_signed.msi is ran to install OpenVPN Connect. Due to most common settings of windows you already have to have administrative privileges to install applications. So this gets downgraded pretty heavily for usability as privilege escalation. In addition
I can see it used as a one time use to get your initial shell as a unique method to run your malicious dll. This would by pass the general monitoring methods to launch a malicious dll box. Unfortunately to use this method again, you will have to uninstall OpenVPN Connect and then reinstall. On the bright side you will not have to drop the evil DLL again after the uninstallation of OpenVPN Connect.
You can run the msi silently from an administrator command line by using msiexec.exe /i openvpn-connect-3.1.0.361_signed.msi /qn
Information:
CVE: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9442
Public Release: https://github.com/hessandrew/CVE-2020-9442
Technical Analysis
Due to the need to have an upgrade or an install trigger in order for this privesc to work, the value of the exploit to an attacker is decreased. You can drop your .dll and wait for an eventually privileged process to spawn as a result of the exploit, but you might have to wait a long time.
CVSS V3 Severity and Metrics
General Information
Vendors
- openvpn
Products
- connect
References
Miscellaneous
