An issue was discovered in PureVPN through 5.19.4.0 on Windows. The client installation grants the Everyone group Full Control permission…
mitre·CWE-426·Published 2018-02-26
An issue was discovered in PureVPN through 5.19.4.0 on Windows. The client installation grants the Everyone group Full Control permission to the installation directory. In addition, the PureVPNService.exe service, which runs under NT Authority\SYSTEM privileges, tries to load several dynamic-link libraries using relative paths instead of the absolute path. When not using a fully qualified path, the application will first try to load the library from the directory from which the application is started. As the residing directory of PureVPNService.exe is writable to all users, this makes the application susceptible to privilege escalation through DLL hijacking.
An issue was discovered in PureVPN through 5.19.4.0 on Windows. The client installation grants the Everyone group Full Control permission to the installation directory. In addition, the PureVPNService.exe service, which runs under NT Authority\SYSTEM privileges, tries to load several dynamic-link libraries using relative paths instead of the absolute path. When not using a fully qualified path, the application will first try to load the library from the directory from which the application is started. As the residing directory of PureVPNService.exe is writable to all users, this makes the application susceptible to privilege escalation through DLL hijacking.
Se ha descubierto un problema en PureVPN hasta su versión 5.19.4.0 en Windows. La instalación del cliente proporciona al grupo Everyone permisos de control total sobre el directorio de instalación. Además, el servicio PureVPNService.exe, que se ejecuta con privilegios NT Authority\SYSTEM, intenta cargar varias librerías dynamic-link mediante el uso de rutas relativas en lugar de la ruta absoluta. Al no emplear una ruta totalmente cualificada, la aplicación intentará cargar la librería desde el directorio en el que la aplicación se inicia. Como el directorio en el que se encuentra PureVPNService.exe puede ser escrito por todos los usuarios, esto hace que la aplicación sea susceptible a escalado de privilegios mediante secuestro de DLL.
| Version | Type | Source | Base | Exp | Impact | Vector |
|---|---|---|---|---|---|---|
| 2.0 | Primary | NVD | 9.3 | 8.6 | 10.0 | AV:N/AC:M/Au:N/C:C/I:C/A:C |
| 3.0 | Primary | NVD | 7.8 | 1.8 | 5.9 | CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H |