Allele Security Alert
ASA-2019-00385
Identifier(s)
ASA-2019-00385, CVE-2019-12579
Title
Command Injection
Vendor(s)
London Trust Media
Product(s)
Private Internet Access (PIA) VPN Client
Affected version(s)
Private Internet Access (PIA) VPN Client v82 for Linux and macOS
Fixed version(s)
Private Internet Access (PIA) VPN Client v1.2.1+ for Linux and macOS
Proof of concept
Yes
Description
A vulnerability in the London Trust Media Private Internet Access (PIA)VPN Client v82 for Linux and macOS could allow an authenticated, local attacker to run arbitrary code with elevated privileges.
Technical details
The PIA Linux and macOS openvpn_launcher.64 binary is setuid root. This binary accepts several parameters to update the system configuration. These parameters are passed to operating system commands using Here(1) document. The parameters are not sanitized therefore can be tricked into running arbitrary commands as root by using shell metacharacters. A local unprivileged user can pass specially crafted parameters that will be interpolated by the operating system calls.
All steps are executed as a low privileged user.
Step 1 – Execute openvpn_launcher.64 with the following parameters to execute the id command as root while redirecting the output to /dev/tty.
########## # Linux ########## /opt/pia/openvpn_launcher.64 --dns up a b c'$(/usr/bin/id>/dev/tty)' >/dev/null 2>/dev/null
########## # macOS ########## /Applications/Private\ Internet\ Access.app/Contents/Resources/openvpn_launcher \ --dns up a b c'$(/usr/bin/id>/dev/tty)' >/dev/null 2>/dev/null
Credits
Rich Mirch
Reference(s)
PIA Linux, macOS Privilege Escalation: Command Injection
https://github.com/mirchr/security-research/blob/master/vulnerabilities/PIA/CVE-2019-12579.txt
CVE-2019-12579
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12579
CVE-2019-12579
https://nvd.nist.gov/vuln/detail/CVE-2019-12579
If there is any error in this alert or you wish a comprehensive analysis, let us know.
Last modified: June 26, 2019