Exploit Title: OpenVPN Connect for Windows (MSI) - 3.1.0.361 - Privilege Escalation

Date: 2020-02-28
Author: Andrew Hess
Software Link: https://openvpn.net/client-connect-vpn-for-windows/
Version: 3.1.0.361 (MSI)
CVE: CVE-2020-9442

History

2019.12.15 - Vulnerability discovered
2019.12.15 - Initial contact with the vendor
2020.01.xx - Vendor Patch - 3.1.1 (378) beta

Release notes for 3.1.1 (378) beta

Implemented a fix for a security issue related to the location of installation files

Software description

This is the official OpenVPN Connect client software for Windows workstation platforms developed and maintained by OpenVPN Inc. This is the recommended client program for the OpenVPN Access Server to enable VPN for Windows. The latest version of OpenVPN for Windows is available on our website.

If you have an OpenVPN Access Server, it is recommended to download the OpenVPN Connect client software directly from your own Access Server, as it will then come pre configured for use for VPN for Windows. The version available here contains no configuration to make a connection, although it can be used to update an existing installation and retain settings.

Exploit description

The permissive folder permission in "C:\ProgramData\OpenVPN Connect" allows an attacker without admin rights to place a malicious DLL next to tapinstall.exe. As soon as OpenVPN client is installed or upgraded, the malicious DLL is loaded by tapinstall and the shellcode is executed.

DLLs searched by tapinstall:

DEVRTL.dll SPINF.dll drvstore.dll DEVOBJ.dll newdev.dll VCRUNTIME140.dll

Steps To Reproduce

Drop a malicious drvstore.dll in C:\ProgramData\OpenVPN Connect\drivers\tap\amd64\win10
Install openvpn-connect-3.1.0.361_signed.msi
Shellcode is executed with the SYSTEM account

Impact

A possible attacker obtains system privileges

hessandrew / CVE-2020-9442