CVE-2022-24141

Vulnerability

The iTopVPNmini.exe component in iTop VPN version 3.2 [2] attempts to connect to a named pipe called datastate_iTopVPN_Pipe_Server in a loop. An attacker who creates a named pipe with the same name can intercept these connections. This behavior is described in the original disclosure [1].

Exploitation

To exploit, an attacker must have the ability to create a named pipe on the local system, which typically requires local access or the ability to run code on the same machine. By opening a named pipe with the identical name datastate_iTopVPN_Pipe_Server, the attacker can listen for connections from iTopVPNmini.exe. When a connection occurs, the attacker can call ImpersonateNamedPipeClient() to assume the security context of the user running the iTop VPN service, thereby obtaining that user's access token.

Impact

A successful exploit allows the attacker to impersonate another user, gaining that user's privileges and access rights. This can lead to privilege escalation, as the attacker may obtain a token with higher privileges than their own, enabling actions such as accessing sensitive data or performing administrative operations on the system.

Mitigation

As of the publication date (2022-07-06), no official patch or update from IObit has been announced [2]. Users should consider updating to a version newer than 3.2 if available, or monitor the vendor's site for fixes. In the absence of a patch, limiting local access to trusted users and monitoring for unauthorized named pipe creation may reduce risk.