HideMyAss! privilege escalation flaws exposed

Updated: The researcher on the case says the VPN provider will not be fixing them.

A set of serious security flaws in the HideMyAss! proxy service which could place user security and privacy at risk have been publicly disclosed.

screen-shot-2017-05-02-at-08-37-59.jpg

Over the weekend, Securify researcher Han Sahin said that multiple privilege escalation vulnerabilities exist in HideMyAss! Pro VPN for Apple's OS X operating system, a subscription-based virtual private network (VPN) service used to mask user traffic and online activities.

The security flaw details and proof-of-concept (PoC) code was posted on Full Disclosure.

The bugs were discovered in the helper binary HMAHelper which ships with the Apple Mac OS X versions of HideMyAss!.

The helper, installed as root and responsible for loading kernel extensions and managing firewall rules and permissions, also includes the flaws which permit local attackers to exploit privilege escalation and gain root control of user accounts.

"Although disabling the firewall is dangerous enough, it was found that the helper is affected by multiple local privilege escalation vulnerabilities," the researcher says. "Taking the FirewallDisable rule as an example, [..] there is no limit to which executable can be executed allowing a local user (or malware) to run any executable as root."

screen-shot-2017-05-02-at-08-17-23.jpg

Tested on version 2.2.7.0, Sahin says this older version of the software is still available for download and according to HMA support, will not be fixed.

In addition, Securify also discovered a similar local privilege escalation flaw in HideMyAss! Pro VPN for Mac. However, this issue -- caused by a signature check failure in a binary assistant used to create VPN profiles and connections -- impacts the latest version of the client, version 3.3.0.3, and no fix is available.

HideMyAss!, catering for thousands of users worldwide, is one of the most well-known VPNs on the market which offers free and premium proxy services. The HideMyAss! Pro VPN service is under AVG's umbrella after desktop and mobile privacy firm Privax was acquired by the antivirus provider in 2015.

Update 8.5.2017: An HMA spokesperson told ZDNet:

"HMA was recently notified of a suspected vulnerability in our Mac products by a third party researcher, which we have verified. The issue can only be exploited by someone with direct access to your Mac. While this is highly unlikely to be taken advantage of in a real-world scenario, we do take it very seriously. We thank the researcher for drawing our attention to this and appreciate the efforts of the wider research community in helping to keep our users safe.

The next version of HMA Pro VPN, which is currently in its initial testing phase, will not be vulnerable to this issue."

Newsletters

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
See All
See All