Summary

The Cato Client was found to use an insecure temporary folder for downloading and processing updates.

Impact

A local, low privileged attacker could exploit this issue to escalate their privileges to that of the Cato Networks VPN Service, which runs as SYSTEM.

Affected Versions

Windows Client version 5.10.26, and below.

Details

When processing updates, the privileged Cato Networks VPN Service downloads the updater executable to the Windows Temp folder. This folder is writable by all users of the system and is not limited to privileged processes. Therefore, a local attacker could exploit this issue to place files or folders within the Temp folder which could cause the updater to inadvertently execute code of their own choosing.

As shown in the following screenshot, the download location for the update installer is calculated using GetTempPathW; combining the returned temporary directory path with the hardcoded file name cato-VPN-setup.exe.

The following rules (taken from Microsoft’s documentation), are used by GetTempPathW for calculating the temporary directory that it returns:

• The path specified by the TMP environment variable.
• The path specified by the TEMP environment variable.
• The path specified by the USERPROFILE environment variable.
• The Windows directory.

For a Windows service, the default TMP and TEMP environment variables are set to C:\Windows\Temp, as shown in the following screenshot, which shows the TEMP environment variable for the winvpnclient.cli.exe process:

When the automatic update process is launched, the winvpnclient.cli.exe service will first make a request to the following URL to determine if there is a new update available:

https://cc2.catonetworks.com/getClientVersion?type=Windows&osVer=11.22631&platform=x64&currentVer=5.9.6.782&user=<user>&account=<account> ..

If a newer version is available, it is downloaded to the temporary location calculated in getDownloadLocation, and then the downloaded installer is executed using CreateProcessW, with SYSTEM privileges.

The Cato Client installer appears to be packaged using NSIS (Nullsoft Scriptable Install System). Specifically, it seems to have been compiled using NSIS version 3.08, which is also vulnerable to CVE-2023-37378.

However, regardless of the known NSIS issue, executing privileged executables from user-writable directories will typically allow privilege escalation, through DLL hijacking, symlink attacks or otherwise.

In this case, it was discovered that the cato-VPN-setup.exe executable would attempt to execute a non-existent executable named msiexec.exe from the process’ current directory, which was the writable C:\Windows\Temp folder.

By writing a malicious msiexec.exe executable to the C:\Windows\Temp directory, the installer would execute this binary as SYSTEM, resulting in privilege escalation:

Whilst there is no way for an attacker to manually initiate the update process, a malicious user or local attacker would simply have to place the msiexec.exe binary in the Temp folder and wait for the automatic update process to take place whenever a new update is available from Cato.

It should be noted that whilst the msiexec.exe issue was exploited here, there are other ways that this issue could be exploited. However, for demonstration purposes, the easiest exploitation method was chosen.

Mitigation Steps

Install version 5.10.34, or later.