Bitmask Riseup VPN 0.21.6 contains a local privilege escalation flaw due to improper access controls. When the software is installed with a non-default installation directory off of the system root, the installer fails to properly set ACLs. This allows lower privileged users to replace the VPN executable with a malicious one. When a higher privileged user such as an Administrator launches that executable, it is possible for the lower privileged user to escalate to Administrator privileges.
CVE-2021-44466 exposes a critical local privilege escalation vulnerability in Riseup VPN 0.21.6. By exploiting improper access control during installation, attackers can replace the VPN executable with a malicious version, allowing them to gain Administrator privileges when the legitimate application is launched. This vulnerability poses a significant risk to confidentiality and integrity of user data, potentially enabling complete system compromise.
Step 1: Installation in Non-Default Directory: The Riseup VPN is installed in a directory other than the default location (e.g., a directory under the user's profile).
Step 2: Lack of ACLs: The installer fails to properly set ACLs on the VPN executable, allowing lower-privileged users to modify the file.
Step 3: Payload Delivery: A lower-privileged user overwrites the legitimate Riseup VPN executable with a malicious version (e.g., a program designed to execute arbitrary commands with elevated privileges).
Step 4: Triggering the Malicious Executable: A higher-privileged user (e.g., an Administrator) launches the Riseup VPN client.
Step 5: Privilege Escalation: The malicious executable is executed with the privileges of the higher-privileged user, granting the attacker Administrator access.
The root cause lies in the installer's failure to correctly set Access Control Lists (ACLs) on the VPN executable when installed in a non-default directory. Specifically, the installer does not restrict write access to the VPN executable file for lower-privileged users. This oversight allows a local, unprivileged user to overwrite the legitimate VPN executable with a malicious one. When an administrator or a higher-privileged user subsequently launches the VPN client, the malicious executable is executed with elevated privileges, leading to privilege escalation. The flaw is a direct result of inadequate file permission management during the installation process, leading to a privilege escalation vulnerability.