Getting Started with bugs.

Wanted to get into finding bugs with meaningful impact. Looking mostly at binary applications. Etc. This will mostly be informal notes for tracking my findings and progress.

CyberGhost VPN

Decided to check out cyberghost vpn since they have a 24 hour free trial.

• C# desktop client with a embedded browser.
• Used ILSPY to decompile application and dlls
• IONINJA To monitor named pipe IPC

It sends json data over pipes. that tells service process what to do (sets vpn configs etc) service process monitors the vpn connection

The json is deserialized and used to call a function with reflection. example "{'service':'ICyberVPNService','method':'SetVpnConfig'}" it also takes parameters but after more digging there is a setting that only allows certain services to be deserialized. moving on to other things i found a program called PeLauncher that is used to launch the main desktop client.

It can be used to launch any application. Maybe useful to evade detection? when launched like this PeLauncher.exe /installtap it will use relative paths to reinstall openvpn and wireguard drivers.

so if you copy all the files to a different location like Public for example. and keep the dir structure running this would attempt to install whatever you placed there so you could just put your own code and it would run elevated.

this could be used on engagements to upgrade to an elevated shell by tricking the user.

Summary

• It was fun not many findings but also only spent two days looking into the desktop client.
• Not worth reporting.
• Would be useful for targeted phishing attacks.

CyberGhost VPN Findings.

• LOLBIN PeLauncher can be used to execute cmd.exe PeLauncher.exe cmd.exe "/c mymalware.exe"
• LOLBIN PeLauncher can be used to faciliate upgrade to system shell PeLauncher.exe /installtap

Tools

• ILSPY
• IONINJA (pipe monitor)
• ProcessHacker