Vulnerability Details : CVE-2018-11479
Public exploit exists!
The VPN component in Windscribe 1.81 uses the OpenVPN client for connections. Also, it creates a WindScribeService.exe system process that establishes a \\.\pipe\WindscribeService named pipe endpoint that allows the Windscribe VPN process to connect and execute an OpenVPN process or other processes (like taskkill, etc.). There is no validation of the program name before constructing the lpCommandLine argument for a CreateProcess call. An attacker can run any malicious process with SYSTEM privileges through this named pipe.
Vulnerability category: Input validation
Products affected by CVE-2018-11479
- cpe:2.3:a:windscribe:windscribe:1.81:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2018-11479
0.18%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 55 %
Percentile, the proportion of vulnerabilities that are scored at or less
Metasploit modules for CVE-2018-11479
-
Windscribe WindscribeService Named Pipe Privilege Escalation
Disclosure Date: 2018-05-24First seen: 2020-04-26exploit/windows/local/windscribe_windscribeservice_priv_escThe Windscribe VPN client application for Windows makes use of a Windows service `WindscribeService.exe` which exposes a named pipe `\.\pipe\WindscribeService` allowing execution of programs with elevated privileges. Windscribe versions prior to 1.
CVSS scores for CVE-2018-11479
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
7.2
|
HIGH | AV:L/AC:L/Au:N/C:C/I:C/A:C |
3.9
|
10.0
|
NIST | |
7.8
|
HIGH | CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
1.8
|
5.9
|
NIST |
CWE ids for CVE-2018-11479
-
The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.Assigned by: nvd@nist.gov (Primary)
References for CVE-2018-11479
-
http://packetstormsecurity.com/files/156222/Windscribe-WindscribeService-Named-Pipe-Privilege-Escalation.html
Windscribe WindscribeService Named Pipe Privilege Escalation ≈ Packet Storm
-
http://sqlulz.blogspot.com/2018/05/windscribe-vpn-privilege-escalation.html
vmcs: WindScribe VPN Privilege EscalationThird Party Advisory
Jump to