Sangfor is a Chinese network security company that provides services such as hyper-convergence, distributed storage, private cloud, desktop cloud, managed cloud, edge computing, VPN and more

aTrust under its banner has a privilege escalation vulnerability

Official website: https://www.sangfor.com.cn/sangfor-security/atrust

Version: V2.3.10.60 (latest)

Atrust is a VPN system of Sangfor, the default installation path is

C:\\Program Files (x86)\\Sangfor\\aTrust

Users can access this folder, while administrators can fully control permissions

image.png

The software starts a service with SYSTEM permission when it is launched

image.png

Software ownership

image.png

Problem:

When running the software, it will call a dll named MSASN1.dll, and a malicious MSASN1.dll can be placed in the relevant directory to complete the privilege escalation

image.png

Writing a malicious dll using Visual Studio

image.png

Restart the device and found that the privilege escalation was successful

image.png