Title: iPass Mobile Client service local privilege escalation
Product: Hewlett-Packard Universal CMDB (UCMDB)
Affected versions: iPass Mobile Client 2.4.2.15122 (Newer version might be
also affected)
Impact: medium
Remote: no
Product link: http://www.ipass.com/laptops/
Reported: 11/03/2015
by: Hans-Martin Muench (Mogwai, IT-Sicherheitsberatung Muench)
The iPass Open Mobile client for laptops is lightweight and always on.
It provides easy, seamless connectivity across iPass, customer, and third-party
networks, and allows you to mix and match carrier networks without disrupting
your users.
"We do not consider this a vulnerability as it is how the product was designed"
Disable the iPass service unless really required
โ CVSS2 Ratings ------------------------------------------------------
The iPass Open Mobile Windows Client utilizes named pipes for interprocess
communication. One of these pipes accepts/forwards commands to the iPass
plugin subsystem.
A normal user can communicate with this pipe through the command line client
EPCmd.exe which is part of the iPass suite. A list of available commands can
be displayed via "System.ListAllCommands".
The iPass pipe provides a "iPass.EventsAction.LaunchAppSysMode" command which
allows to
execute arbitrary commands as SYSTEM. This can be abused by a normal user to
escalate
his local privileges.
Please note that this issue can also be exploited remotely in version
2.4.2.15122 as
the named pipe can also be called via SMB. However according to our information,
the pipe is no longer remotely accessible in current versions of the iPass
Mobile
client.
The following EPCmd command line creates a local user "mogwai" with password
"mogwai":
EPCmd.exe iPass.EventsAction.LaunchAppSysMode c:\windows\system32\cmd.exe;"/c
net user mogwai mogwai /ADD;;
10/03/2015: Requesting security contact from iPass sales
10/03/2015: Sales responded, will forward vulnerability information to the
development
11/03/2015: Sending vulnerability details
11/03/2015: iPass asks which customer we represent
11/03/2015: Responding that we don't represent any iPass customer
12/03/2015: iPass responded, wont fix, says that the product works as designed
https://www.mogwaisecurity.de/#lab
Mogwai, IT-Sicherheitsberatung Muench
Steinhoevelstrasse 2/2
89075 Ulm (Germany)