Rich Mirch

Penetration Tester, Red Teamer, Security Researcher

CVE-2019-6724 : Barracuda VPN Client Privilege Escalation on Linux and macOS — February 14, 2019

CVE-2019-6724 : Barracuda VPN Client Privilege Escalation on Linux and macOS

The barracudavpn component of the Barracuda VPN Client prior to version 5.0.2.7 for Linux, macOS, and OpenBSD runs as a privileged process and can allow an unprivileged local attacker to load a malicious library, resulting in arbitrary code executing as root.

This post will walk through the process on how I found and exploited the vulnerability on Linux. The full PoC will  also work on macOS. When researching for potential vulnerabilities with privileged binaries a test system should be used to avoid causing damage or negative impacts.

Continue reading

CVE-2018-18629: Keybase Linux privilege escalation — December 21, 2018

CVE-2018-18629: Keybase Linux privilege escalation

Recently I started using Keybase which is a Slack like application but provides end-to-end encryption. Version 2.8.0.20181017144746.3efc4cbf3c is vulnerable to a privilege escalation vulnerability allowing a low privileged user to execute arbitrary commands as root.

After executing the application using a low privileged account I noticed a process named keybase-redirector running as root. I was interested and wanted to understand how this worked. After checking the file permissions I found that the keybase-redirector was setuid root. I enjoy the challenge of finding vulnerabilities in privileged binaries so I started my research.

Continue reading

CVE-2018-19788 PoC – polkit: Improper handling of user with uid > INT_MAX leading to authentication bypass — December 9, 2018

CVE-2018-19788 PoC – polkit: Improper handling of user with uid > INT_MAX leading to authentication bypass

While reviewing my Twitter feed I noticed a recent popular tweet from @0xdea.

I was intrigued and wanted to see if there was a way to leverage this to execute arbitrary code as root.

Continue reading