London Trust Media, Inc
Private Internet Access VPN for Windows
A vulnerability in Private Internet Access VPN Client for Windows could allow an unauthenticated, local attacker to run executable files with elevated privileges. The vulnerability is due to insufficient implementation of the access controls. The
Help options available from the system tray context menu for the PIA VPN client spawns an elevated instance of the user's default web browser. An attacker could exploit this vulnerability by selecting
Run as Administratorfrom the context menu of an executable file within the file browser of the spawned default web browser. This may allow the attacker to execute privileged commands on the targeted system.
The vendor has released an update
03-23-2018 - Vendor disclosure via email 03-23-2018 - Vendor notified via Facebook 03-23-2018 - Vendor response via email 03-27-2018 - Vendor requests resubmission of disclosure to London Trust Media 03-27-2018 - Resubmission of vendor disclosure 03-27-2018 - Vendor responded with bug bounty offer 03-27-2018 - VerSprite declined bounty 03-28-2018 - Vendor submitted update for testing 03-28-2018 - VerSprite Security tests update and confirmed vulnerability resolution 04-05-2018 - Vendor releases update 04-17-2018 - Vendor notified of the advisory release
Offensive Minded Security Exploit Development