Rich Mirch

Penetration Tester, Red Teamer, Security Researcher

CVE-2019-12572 PIA Windows Privilege Escalation: Malicious OpenSSL Engine — June 10, 2019

CVE-2019-12572 PIA Windows Privilege Escalation: Malicious OpenSSL Engine

Vulnerability Summary

During startup the PIA Windows service(pia-service.exe) loads the OpenSSL library from C:\Program Files\Private Internet Access\libeay32.dll. This library attempts to load the C:\etc\ssl\openssl.cnf configuration file. By default on Windows systems, authenticated users can create directories under C:\. A low privileged user can create a openssl.cnf configuration file to load a malicious OpenSSL engine library resulting in the arbitrary code execution as SYSTEM when the service starts.

The root cause is when the OpenSSL libraries were built, the OPENSSLDIR parameter was set to a path which a low privileged user can modify or create. I believe this issue is lurking in many Window applications that bundle OpenSSL libraries. I have discovered the same vulnerability in several other Windows applications and will be disclosing those findings when patches are available.

I created a simple tool to help identify potentially vulnerable OpenSSL libraries –https://github.com/mirchr/openssldir_check.

CVE-2019-12572 has been patched in v1.2.1. The latest Windows desktop client can be upgraded automatically via the application or manually from the download page at Private Internet Access.


Walkthrough

While hunting for potential vulnerabilities in the Windows Private Internet Access desktop application I noticed a failed call to open the c:\etc\ssl\openssl.cnf file during the service startup.

pia-openssl-failed-open

This caught my attention and I needed to research this further. But before I get into the details of that, let’s take a step back and see how I arrived there.

Continue reading

Write-up for CVE-2018-15332 , CVE-2018-5529 , CVE-2018-5546 , CVE-2019-6617 — May 21, 2019

Write-up for CVE-2018-15332 , CVE-2018-5529 , CVE-2018-5546 , CVE-2019-6617

Published write-ups for a few vulnerabilities I discovered and responsibly disclosed last year. One vulnerability took three fixes to finally resolve the issue. As a best practice, I always re-check the vulnerability after a patch is available because the fix may not properly resolve the issue or a new vulnerability is introduced. Kudos to the F5 Security Incident Response Team (SIRT). I will be posting additional detailed write-ups in the near future.

CVE-2018-15332 , CVE-2018-5529 , and CVE-2018-5546 – F5 BIG-IP APM client for Linux and macOS arbitrary file takeover vulnerability.

https://github.com/mirchr/security-research/blob/master/vulnerabilities/F5/CVE-2018-15332.txt

https://github.com/mirchr/security-research/blob/master/vulnerabilities/F5/CVE-2018-5529.txt

CVE-2019-6617 – F5 BIG-IP Resource Administrator Privilege Escalation. 

https://github.com/mirchr/security-research/blob/master/vulnerabilities/F5/CVE-2019-6617.txt

 

Linux persistence idea – using group passwords — January 9, 2019

Linux persistence idea – using group passwords

A rarely used feature on Linux and UNIX systems is the ability to add a password to a group. The concept is similar to how users are handled. An encrypted hash is stored in the second field of the gshadow(5) file. Anyone with the password can execute the newgrp(1) command to temporarily change their GID without having to be a member of the group. The goal of this post is show how this feature can be leveraged to create persistence on a server in a semi stealthy way.

Continue reading