Security expert Peleg Hadar of SafeBreach Labs discovered a privilege escalation vulnerability, tracked as CVE-2019-6145, that affects all versions of VPN Client for Windows except the latest release.
The vulnerability can be exploited by attackers to achieve persistence and evade detection. The experts discovered that the application incorrectly attempts to execute an executable from incorrect locations, allowing an attacker to run its own binaries with NT AUTHORITY\SYSTEM permissions.
In versions of the software lower than 6.6.1 the Forcepoint VPN Client Service (
"C:\Program.exe" "C:\Program Files (x86)\Forcepoint\VPN.exe"
The Forcepoint service is signed and starts with the system boot, this means that any injected executable will inherit its permissions and could be executed at boot time.
An attacker with Administrator privileges can implant an arbitrary unsigned executable which is executed by a signed service that runs as NT AUTHORITY\SYSTEM.
“In our exploration, we found that after the Forcepoint VPN Client Service was started, the sgvpn.exe signed process was executed as NT AUTHORITY\SYSTEM.” reads the post published by the expert.
“We noticed an interesting behavior once the service’s process was executed:
“As it can be seen, the service was trying to look for multiple missing EXE files before it found and executed the real executable file (sgpm.exe)”
Hadar also published the result of his PoC in which he compiled an unsigned executable that wrote to a text file the name of the process loading it and the username that executed it.
The expert explained that the root cause of the problem is a quoted string between the path of the executable and the argument that is missing from the command line. The expert discovered that when the overall string is parsed, the space character breaks the path.
“The root cause of this unquoted search path vulnerability happens because the command line doesn’t contain a quoted string between the path of the executable and the argument – so the CreateProcessW function tries to split it by itself each time it parses a space character:“ continues the post.
“The vulnerability gives attackers the ability to be executed by a signed service. This ability might be abused by an attacker for different purposes such as execution and evasion, for example: Application Whitelisting Bypass”
The expert reported the flaw to Forcepoint on September 5, the company confirmed the issue and addressed it with the release of the Forcepoint VPN Client version 6.6.1.
“There is an unquoted search path vulnerability in Forcepoint VPN Client for Windows versions lower than 6.6.1.” reads the advisory published by Forcepoint. “When the VPN Client starts, usually during the Windows boot sequence, it incorrectly tries to execute programs in the following locations”
Forcepoint also suggests as mitigation to restrict