Hacking

Privilege Escalation flaw found in Forcepoint VPN Client for Windows

Security researcher Peleg Hadar of SafeBreach Labs discovered a privilege escalation flaw that impacts all versions of Forcepoint VPN Client for Windows except the latest release.

Security expert Peleg Hadar of SafeBreach Labs discovered a privilege escalation vulnerability, tracked as CVE-2019-6145, that affects all versions of VPN Client for Windows except the latest release.

The vulnerability can be exploited by attackers to achieve persistence and evade detection. The experts discovered that the application incorrectly attempts to execute an executable from incorrect locations, allowing an attacker to run its own binaries with NT AUTHORITY\SYSTEM permissions.

In versions of the software lower than 6.6.1 the Forcepoint VPN Client Service (sgvpn.exe) attempt to execute the ‘sgpm.exe‘ executable from the following locations:

"C:\Program.exe"
"C:\Program Files (x86)\Forcepoint\VPN.exe"

The Forcepoint service is signed and starts with the system boot, this means that any injected executable will inherit its permissions and could be executed at boot time.

An attacker with Administrator privileges can implant an arbitrary unsigned executable which is executed by a signed service that runs as NT AUTHORITY\SYSTEM.

“In our exploration, we found that after the Forcepoint VPN Client Service was started, the sgvpn.exe signed process was executed as NT AUTHORITY\SYSTEM.” reads the post published by the expert.

“We noticed an interesting behavior once the service’s process was executed:

“As it can be seen, the service was trying to look for multiple missing EXE files before it found and executed the real executable file (sgpm.exe)”

The attacker can place malware in one of the above locations to get it executed at the system boot.

Hadar also published the result of his PoC in which he compiled an unsigned executable that wrote to a text file the name of the process loading it and the username that executed it.

The expert explained that the root cause of the problem is a quoted string between the path of the executable and the argument that is missing from the command line. The expert discovered that when the overall string is parsed, the space character breaks the path.

“The root cause of this unquoted search path vulnerability happens because the command line doesn’t contain a quoted string between the path of the executable and the argument – so the CreateProcessW function tries to split it by itself each time it parses a space character: continues the post.

“The vulnerability gives attackers the ability to be executed by a signed service. This ability might be abused by an attacker for different purposes such as execution and evasion, for example: Application Whitelisting Bypass”

The expert reported the flaw to Forcepoint on September 5, the company confirmed the issue and addressed it with the release of the Forcepoint VPN Client version 6.6.1.

“There is an unquoted search path vulnerability in Forcepoint VPN Client for Windows versions lower than 6.6.1.” reads the advisory published by Forcepoint. “When the VPN Client starts, usually during the Windows boot sequence, it incorrectly tries to execute programs in the following locations”

Forcepoint also suggests as mitigation to restrict non-administrator users from creating or copying executables to the mentioned paths.

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – Forcepoint VPN Client, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

Recent Posts

SECURITY AFFAIRS MALWARE NEWSLETTER ROUND 45

Security Affairs Malware newsletter includes a collection of the best articles and research on malware…

19 hours ago

Security Affairs newsletter Round 524 by Pierluigi Paganini – INTERNATIONAL EDITION

A new round of the weekly SecurityAffairs newsletter arrived! Every week the best security articles…

19 hours ago

Experts found rogue devices, including hidden cellular radios, in Chinese-made power inverters used worldwide

Chinese "kill switches" found in Chinese-made power inverters in US solar farm equipment that could…

22 hours ago

US Government officials targeted with texts and AI-generated deepfake voice messages impersonating senior U.S. officials

FBI warns ex-officials are targeted with deepfake texts and AI voice messages impersonating senior U.S.…

2 days ago

Shields up US retailers. Scattered Spider threat actors can target them

Google warns that the cybercrime group Scattered Spider behind UK retailer attacks is now targeting…

2 days ago

U.S. CISA adds Google Chromium, DrayTek routers, and SAP NetWeaver flaws to its Known Exploited Vulnerabilities catalog<gwmw style="display:none;"></gwmw>

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds Google Chromium, DrayTek routers, and SAP NetWeaver…

2 days ago