LOLBINed — CyberGhost VPN (PeLauncher.exe/Dashboard.exe)
In the same spirit as my last article about “F-Secure FSDIAG”, let’s continue our search for LOLBINs in known products. This time I’m taking a look at CyberGhost VPN
Note: Since the CyberGhost team doesn’t have a vulnerability program, I’ve reported this issue to the support team which they forwarded to the appropriate teams. Unfortunately, they didn’t deem this as a major vulnerability. So no “fix” is available as of me writing this blog.
Similar to the F-Secure research, I started by downloading the latest version of the CyberGhost VPN and installing it while monitoring everything it’s doing. Nothing looked suspicious at first glance, so I decided to take a look at the directory structure and see what binaries are available.
The first one that caught my eye is called conveniently “PeLauncher.exe” and is located by default in “C:\Program Files\CyberGhost 8\Applications\VPN”.
Inspecting the file with PESutdio we see that it’s written in “.NET” so that means we can hopefully see the “source”.
Inspecting it reveals only one class called “Program” with an interesting main function that takes a relative path to a binary named “Dashboard.exe” and executes it with the “!!launch” argument and any argument we pass.
“Dashboard.exe” is the binary responsible for showing the dashboard of the CyberGhost VPN. (See screenshot below)
With this knowledge, we can now abuse “Dashboard.exe” as follow
- Take any binary of your choosing and rename it “Dashboard.exe”.
- Create two nested folders “A” and “B” and copy “PeLauncher.exe” inside.
- Copy the fake “Dashboard.exe” two levels from where “PeLauncher” is located.
- Execute the following command. (The arg is necessary to bypass the check seen in the source)
- Your binary will be executed as a child of “PeLauncher”. (Note your binary must know how to handle the “!!launch” and the argument you provide as they are hardcoded)
This is a nice start as “PeLauncher.exe” is signed :)
The “!!launch” argument got me intrigued so I decided to look at the real “Dashboard.exe” next.
Again checking the binary we see that it’s also written in “.NET”. This makes our life a little bit easier to perform the analysis.
Looking for the “!!launch” didn’t yield any meaningful results. Fortunately the string “!!” did give us a lead.
We can use the “!!launch” argument to launch any executable we want by specifying it as follow
Dashboard.exe !!launch [PathToBinary]
Let’s try this with an example of launching “calc”
As a bonus, this binary is signed :)
Note: Contrary to the “PeLauncher.exe” binary above, the “Dashboard.exe” binary is dependent on a lot of DLLs so it’s better to launch it directly from the installation folder if you have the necessary privileges.
That’s it for this short blog and I hope you enjoyed reading it. If you want to discuss this blog or anything related to infosec you can find me on Twitter @nas_bench