Research of OpenVPN Connect 3.1.0.361 dll drop “Privilege Escalation”

This vulnerability is stated to be a Privilege escalation vulnerability. Unfortunately the droped dll of drvstore.dll in C:\ProgramData\OpenVPN Connect\drivers\tap\amd64\win10 is only executed when the openvpn-connect-3.1.0.361_signed.msi is ran to install OpenVPN Connect. Due to most common settings of windows you already have to have administrative privileges to install applications. So this gets downgraded pretty heavily for usability as privilege escalation. In addition

I can see it used as a one time use to get your initial shell as a unique method to run your malicious dll. This would by pass the general monitoring methods to launch a malicious dll box. Unfortunately to use this method again, you will have to uninstall OpenVPN Connect and then reinstall. On the bright side you will not have to drop the evil DLL again after the uninstallation of OpenVPN Connect.

You can run the msi silently from an administrator command line by using msiexec.exe /i openvpn-connect-3.1.0.361_signed.msi /qn

Information:

CVE: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9442
Public Release: https://github.com/hessandrew/CVE-2020-9442