![]() ![]() : Information about vulnerability provided to the vendor : Initial reply from the vendor asking for more information ![]() : Email sent to support about the process for reporting security issues because we were not aware of their disclosure guidelines Text of the advisory written by Yakov Shafranovich. We would like to thank the vendor for the quick turnaround and fix for this vulnerability. ReferencesĬWE: CWE-400 – Uncontrolled Resource Consumption (‘Resource Exhaustion’) Credits This bug has fulfilled the requirements of the vendor’s bounty program and a bounty has been paid. Users should install the latest version to fix this issue. This fix is available in v1.3.3.1 or later, and has been deployed to the Google Play store. To fix this issue, the vendor (London Trust Media / PIA) had added a size check when downloading and processing the file containing a list of VPN servers. Re-open the PIA app and observe the crash.Īll testing was done on v1.3.3 of the Android application using a Linux host running Ubuntu v17.10 and Android test devices running Android v7 and v8. AT THIS POINT – Android will resolve DNS against the Linux computer and serve the large servers fileħ. Modify the settings on the Android test phone to static, set DNS to point to “192.168.1.x”. Use mkdir and fallocate to create a large server file in “ /var/www/html/” (you may need to use sudo): cd /var/www/htmlĦ. Configure /etc/nf file to listen on the IP and restart DNSMASQ listen-address=192.168.1.xĥ. Modify the /etc/hosts file to add the following entry to map PIA’s domain name to the Linux host: 192.168.1.x 4. ![]() Install dnsmasq and NGINX on the Linux host: sudo apt-get install dnsmasq nginxģ. Install the PIA application on the Android device, sign up for an account and login via the application. If the data packet is larger than the memory on the device, the application will crash since it did not include a size check to avoid large downloads.īecause of the digital signature, we were not able to modify the actual server data within the JSON packet but we were successful in crashing the application by injecting a large packet. Example URL: įile layout: īecause the file download is done without SSL / TLS, it is possible for an MITM attacker to intercept this traffic and inject their own data. However, the resulting server file was digitally signed via a base-64 encoded signature appearing on the bottom of the file. This call was done over HTTP without the use of SSL / TLS. While monitoring network traffic of a test device running Android, we observed that the official PIA Android client application downloaded from the Google Play store made network calls to a PIA server to retrieve a list of current VPN servers in JSON format. PIA provides official clients for multiple operating systems including Windows, Chrome, macOS, Linux, iOS and Android. The vendor provides a privacy service to encrypt Internet connections via VPN tunnels and have them terminate on anonymous IP addresses. Private Internet Access (PIA) is a commercial VPN service operated by London Trust Media, Inc. MITRE has assigned # CVE-2017-15882 to track this issue. The vendor has fixed this issue in v1.3.3.1 and users should install the latest version. While the file is digitally signed, it is not served over SSL and the application did not contain logic for checking if the provided file is very large. ![]() This can be exploited by an MITM attacker via intercepting and replacing this file. The Android application provided by Private Internet Access (PIA) VPN service can be crashed by downloading a large file containing a list of current VPN servers. ![]()
0 Comments
Leave a Reply. |