Researchers at SafeBreach Labs recently published a post that details a vulnerability affecting the Forcepoint VPN client (namely all versions before 6.6.1) for Windows. The vulnerability, which is logged as CVE-2019-6145, allows for privilege escalation as well as persistence and defense evasion. The vulnerability requires the attacker to be in possession of certain aspects administrative access, but this is not as impossible to achieve as one might think.
The mechanics of exploiting the vulnerability CVE-2019-6145 were uncovered by a series of deep-dives into how Forcepoint operates. When looking for vulnerabilities, SafeBreach Labs created the exploit by taking an unsigned executable that gets executed by a signed service that runs as NT AUTHORITY\SYSTEM. Researchers noticed that the original executable at Forcepoint VPN’s startup, sgvpn.exe, did not get discovered immediately by the service. Instead, the program looked for numerous missing EXE files before finding sgvpn.exe and executing it.
The post from SafeBreach Labs states the following about what causes this in extensive detail below:
The first argument of the CreateProcessW function call is NULL.
The command line buffer doesn’t contain any quoted string which separates the executable path from the argument.
(A quick reminder: “%s%s %s”), which in our case turns to:
“C:\Program Files (x86)\Forcepoint\VPN Client\sgpm.exe -A”
According to the CreateProcessW function documentation in MSDN, we will see the following:
The lpApplicationName parameter can be NULL. In that case, the module name must be the first white space–delimited token in the lpCommandLine string.If you are using a long file name that contains a space, use quoted strings to indicate where the file name ends and the arguments begin; otherwise, the file name is ambiguous.
For example, consider the string “c:\program files\sub dir\program name”. This string can be interpreted in a number of ways. The system tries to interpret the possibilities in the following order:
c:\program.exe c:\program files\sub.exe c:\program files\sub dir\program.exe c:\program files\sub dir\program name.exe
The root cause of this unquoted search path vulnerability happens because the command line doesn’t contain a quoted string between the path of the executable and the argument – so the CreateProcessW function tries to split it by itself each time it parses a space character:
“C:\Program.exe”
“C:\Program Files (x86)\Forcepoint\VPN.exe”
“C:\Program Files (x86)\Forcepoint\VPN Client\sgpm.exe -A”
The CVE-2019-6145 vulnerability report was released by SafeBreach Labs on Sept. 5 and the vulnerability was confirmed by Forcepoint VPN’s developers on the same day. After some time passed, the official patch was released for the client on Sept. 19 as patch 6.6.1.
Featured image: Flickr / Richard Patterson
