CVE-2015-0925
published 2015-01-22CVE-2015-0925: The client in iPass Open Mobile before 2.4.5 on Windows allows remote authenticated users to execute arbitrary code via a DLL pathname in a crafted Unicode…
PriorityP266critical9CVSS 2.0
AVNACLAuSCCICAC
EXPLOIT
EPSS
52.13%
98.8th percentile
The client in iPass Open Mobile before 2.4.5 on Windows allows remote authenticated users to execute arbitrary code via a DLL pathname in a crafted Unicode string that is improperly handled by a subprocess reached through a named pipe, as demonstrated by a UNC share pathname.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| ipass | ipass_open_mobile | <= 2.4.4 | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor for SMB named pipe connections to \IPEFSYSPCPIPE — this pipe is accessible by BUILTIN\Users and is the attack vector for CVE-2015-0925. ↗
- →Alert on Unicode-encoded writes to \IPEFSYSPCPIPE containing UNC share paths (\\server\share\*.dll), which indicate an attempt to force the iPass service to load a remote DLL. ↗
- →Detect the iPass.SWUpdateAssist.RegisterCOM command sent over the named pipe with a UNC path argument — this is the specific exploit primitive used to trigger remote DLL loading. ↗
- →Detect the LaunchAppSysMode command sent over \IPEFSYSPCPIPE by non-SYSTEM processes — this command enables arbitrary command execution as SYSTEM. ↗
- →Monitor for outbound SMB connections (port 445) originating from the iPass client service process (e.g., iPassPeriodicUpdater or similar), which may indicate the service is fetching a DLL from an attacker-controlled share. ↗
- →The exploit check phase sends a System.Echo command over the pipe and looks for the echoed value in the response — repeated pipe open/write/read/close cycles on \IPEFSYSPCPIPE from a user-context process are a behavioural indicator. ↗
- ·The vulnerability only affects iPass Open Mobile versions before 2.4.5 on Windows; patched versions are not exploitable via this named pipe abuse. ↗
- ·Exploitation requires the attacker to be a remote authenticated user (member of BUILTIN\Users); unauthenticated or anonymous access to the pipe is not sufficient. ↗
- ·The Metasploit module uses a randomly generated 7-character DLL filename and a randomly named SMB share for each run, so static filename/share-name IOCs are not reliable for detection. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
IPass Control Pipe - Remote Command Execution (Metasploit)
exploitdb·2015-03-16
CVE-2015-0925 IPass Control Pipe - Remote Command Execution (Metasploit)
IPass Control Pipe - Remote Command Execution (Metasploit)
---
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 'IPass Control Pipe Remote Command Execution',
'Description' => %q{
This module exploits a vulnerability in the IPass Client service. This service provides a
named pipe which can be accessed by the user group BUILTIN\Users. This pipe can be abused
to force the service to load a DLL from a SMB share.
},
'Author' =>
[
'Matthias Kaiser', # Vulnerability discovery
'h0ng10 ', # Metasploit Module
],
'License' => MSF_LICENSE,
'References' =>
[
[ 'CVE', '2015-0925' ],
[ 'OSVDB', '117423' ],
[ 'BID', '72265' ],
[ 'URL', 'http://codewhitesec.blogspot.de/2015/02/h
Metasploit
IPass Control Pipe Remote Command Execution
metasploit
IPass Control Pipe Remote Command Execution
IPass Control Pipe Remote Command Execution
This module exploits a vulnerability in the IPass Client service. This service provides a named pipe which can be accessed by the user group BUILTIN\Users. This pipe can be abused to force the service to load a DLL from a SMB share.
Metasploit
iPass Mobile Client Service Privilege Escalation
metasploit
iPass Mobile Client Service Privilege Escalation
iPass Mobile Client Service Privilege Escalation
The named pipe, \IPEFSYSPCPIPE, can be accessed by normal users to interact with the iPass service. The service provides a LaunchAppSysMode command which allows to execute arbitrary commands as SYSTEM.
No writeups or analysis indexed.
2015-01-22
Published