Privilege Escalation to SYSTEM in AWS VPN Client [CVE-2022-25165]

We discussed this vulnerability during Episode 137 on 18 April 2022

Two issues, one being a race condition between validating a configuration is safe and using the configuration, the second an information disclosure where a user’s Net-NTLMv2 hash could be disclosed.

The race condition was pretty straight forward, the service first validates a VPN configuration file and then starts OpenVPN with it. The problem is that the configuration can be modified during the brief period between being validated and OpenVPN reading the file. Using the log directive in the configuration can result in writing semi-controlled content to any location as SYSTEM.

The second issue was that the auth-user-pass and ca directives will accept file paths. Providing a UNC path here (\\server\file for example) will result in a File.Open call on the path, which will send the users Net-NTLMv2 hash to an external server.