Talos Vulnerability Report

TALOS-2018-0676

Shimo VPN helper tool deleteConfig denial-of-service vulnerability

April 15, 2019
CVE Number

CVE-2018-4007

Summary

An exploitable privilege escalation vulnerability exists in the Shimo VPN 4.1.5.1 helper service in the deleteConfig functionality. The program is able to delete any protected file on the system. An attacker would need local access to the machine to successfully exploit the bug.

Tested Versions

Shimo VPN 4.1.5.1

Product URLs

https://www.shimovpn.com/

CVSSv3 Score

9.0 - CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:H

CWE

CWE-19: Improper Input Validation

Details

Shimo VPN is a VPN client for Mac OSX used to connect to and manage multiple VPN accounts in one place. The application uses what is defined as a "Helper Tool" to do some of the privileged work on its behalf. The helper tool is installed as root when the application is first installed and is a LaunchD daemon, meaning it will be restarted if it is killed. The service listens using:

v3 = objc_msgSend(&OBJC_CLASS___NSXPCListener, "alloc");
v4 = objc_msgSend(v3, "initWithMachServiceName:", CFSTR("com.feingeist.shimo.helper"));

The second argument registers the string passed in as a service and tells it to begin listening. The service can then be connected to via Objective-C XPC calls. A similar section of code needs to be executed to connect ta client to this service.

 v8 = objc_msgSend(v7, "initWithMachServiceName:options:", CFSTR("com.feingeist.shimo.helper"), 4096LL); [1]
  v11 = objc_msgSend(
          &OBJC_CLASS___NSXPCInterface,
          "interfaceWithProtocol:",
          &OBJC_PROTOCOL___ShimoHelperToolProtocol);                                                      [2]

At [1], the same call as above is used except this time the options variable is used to signify that the client is connecting rather than listening. At [2], a special protocol is passed in that defines all the functions available to the client. The server must have the same protocol defined in order for these calls to work. Looking at the protocol we can begin to see the vulnerabilities arise.

The vulnerable function is deleteConfigAtPath:withReply. This function takes a script path location as an argument and subsequently goes on to delete it with no privilege checks. The code is shown below.

  v8 = objc_msgSend(v7, "fileExistsAtPath:", arg_3);             [3]
  if ( v8 )
  {
    objc_msgSend(v10, "removeItemAtPath:error:", arg_3, &error);   [4]
  }

A file path is passed in and checked for existence at location [3]. If it does exist it is deleted at [4]. This daemon runs as root and can delete any file on the system so when called by a non-privileged account, this crosses a privilege boundary and creates a privilege escalation vulnerability.

Timeline

2018-09-21 - Vendor Disclosure
2018-09-22 - Vendor acknowledged and gave main developer contact
2018-09-26 - Reports sent to main developer
2018-10-08 - First follow up
2018-11-09 - 2nd follow up
2018-12-04 - 3rd follow up
2019-03-14 - Final follow up for public disclosure
2019-04-15 - Zero day/Public release

Credit

Discovered by Tyler Bohan of Cisco Talos