HideMyAss! privilege escalation flaws exposed (ZDNet)

A set of serious security flaws in the HideMyAss! proxy service which could place user security and privacy at risk have been publicly disclosed.

screen-shot-2017-05-02-at-08-37-59.jpg

Over the weekend, Securify researcher Han Sahin said that multiple privilege escalation vulnerabilities exist in HideMyAss! Pro VPN for Apple’s OS X operating system, a subscription-based virtual private network (VPN) service used to mask user traffic and online activities.

The security flaw details and proof-of-concept (PoC) code was posted on Full Disclosure.

The bugs were discovered in the helper binary HMAHelper which ships with the Apple Mac OS X versions of HideMyAss!.

The helper, installed as root and responsible for loading kernel extensions and managing firewall rules and permissions, also includes the flaws which permit local attackers to exploit privilege escalation and gain root control of user accounts.

“Although disabling the firewall is dangerous enough, it was found that the helper is affected by multiple local privilege escalation vulnerabilities,” the researcher says. “Taking the FirewallDisable rule as an example, [..] there is no limit to which executable can be executed allowing a local user (or malware) to run any executable as root.”

screen-shot-2017-05-02-at-08-17-23.jpgscreen-shot-2017-05-02-at-08-17-23.jpg

Tested on version 2.2.7.0, Sahin says this older version of the software is still available for download and according to HMA support, will not be fixed.

In addition, Securify also discovered a similar local privilege escalation flaw in HideMyAss! Pro VPN for Mac. However, this issue — caused by a signature check failure in a binary assistant used to create VPN profiles and connections — impacts the latest version of the client, version 3.3.0.3, and no fix is available.

HideMyAss!, catering for thousands of users worldwide, is one of the most well-known VPNs on the market which offers free and premium proxy services. The HideMyAss! Pro VPN service is under AVG’s umbrella after desktop and mobile privacy firm Privax was acquired by the antivirus provider in 2015.

ZDNet has reached out to HideMyAss and will update if we hear back.

Source: SANS ISC SecNewsFeed @ May 2, 2017 at 03:39AM

0
Share