Slight race-condition in the Pritunl VPN client leading to a semi-controlled file-write as SYSTEM which could be leveraged into code execution as SYSTEM.

The normal flow for the application was that a user would import an OpenVPN configuration file that would be written into the a folder under the users %APPDATA% folder. Then when the VPN client was told to connect, it would sanitize the configuration, ensuring no sensitive directives were used. It would write this santiized configuration into its %PROGRAMDATA% directory and then provide it to the openvpn client.

The problem being that any user could write to the %PROGRAMDATA% folder and race the OpenVPN execution, trying to overwrite the sanitized version before OpenVPN gets it. Form this point, OpenVPN is executed with –security-script 1 so direct code execution wasn’t possible.

Instead the log directive could be abused to write a log file to any location as SYSTEM, and partial control of the logged content could be used. Where there are several avenues for escalation, Rhino Security Labs created an ipconfig.bat in the application’s Program Files directory as it would attempt to run the ipconfig command without using an absolute path, meaning the bat would get executed.