remove unsafe options from OpenVPN client config file
fkooman opened this issue · 10 comments
Passing the OpenVPN configuration file unfiltered to the OpenVPN helper process could introduce a local root exploit, e.g. normal user can become root.
One way this could be done is to provide the --route-up configuration flag with a malicious script that then would be executed as root when connecting to the VPN. Verification is done for the --up and --down scripts, but not for all possible scripts.
Proposal: create a whitelist of "safe" OpenVPN configuration directives, drop the rest from the configuration file.
https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage
"SCRIPTING AND ENVIRONMENTAL VARIABLES"
--up
Executed after TCP/UDP socket bind and TUN/TAP open.
--tls-verify
Executed when we have a still untrusted remote peer.
--ipchange
Executed after connection authentication, or remote IP address change.
--client-connect
Executed in --mode server mode immediately after client authentication.
--route-up
Executed after connection authentication, either immediately after, or some number of seconds after as defined by the --route-delay option.
--route-pre-down
Executed right before the routes are removed.
--client-disconnect
Executed in --mode server mode on client instance shutdown.
--down
Executed after TCP/UDP and TUN/TAP close.
--learn-address
Executed in --mode server mode whenever an IPv4 address/route or MAC address is added to OpenVPN's internal routing table.
--auth-user-pass-verify
Executed in --mode server mode on new client connections, when the client is still untrusted.
At least those need to be removed from client configuration files. Maybe others as well.
The macOS app itself adds options for running the DNS modifcations and also sets the script-security 2. The filtering should probably find place before those options are added by the macOS app, or they should be whitelisted.
If script-security is already set in the file it should be removed as well. And possibly later added by the macOS app.
This should probably be implemented in the "helper", not in the app. The user could write their own RPC call to the helper and circumvent the filtering if it takes place in the app.
I think to filter before saving the config in-app and filtering again before connection in OpenVPN helper file will make it more secure
So we have two layer of security, 1)When saving the config file and 2) In OpenVPN helper during connection
I am doing a lot of research find a really good solution.
Viscosity's solution is: They just tell the user if they want to use this unsafe config file.
I think our solution must better and active solution what works out of the Box. Thanks, Team for creating such an awesome Idea
Few things to remove from the file
- Need to remove script containing all commands in [“up”,”tls-verify”,”ipchange”,”client-connect”,”route-up”,”route-pre-down”,”client-disconnect”,”down”,”learn-address”,”auth-user-pass-verify”]
- Encrypted script: I searched the internet a lot and found that many hackers use encrypted malicious script, We need to avoid that.
I searched a lot and could not find anything else what needs filtering, if anyone in the team finds anything, please let me know
Need to remove script containing all commands in [“up”,”tls-verify”,”ipchange”,”client-connect”,”route-up”,”route-pre-down”,”client-disconnect”,”down”,”learn-address”,”auth-user-pass-verify”]
Don't forget script-security for good measure.
Encrypted script: I searched the internet a lot and found that many hackers use encrypted malicious script, We need to avoid that.
I have no idea what this means?
Encrypted script: I searched the internet a lot and found that many hackers use encrypted malicious script, We need to avoid that.
I have no idea what this means?
Here you go
https://medium.com/tenable-techblog/reverse-shell-from-an-openvpn-configuration-file-73fd8b1d38da
Encrypted script: I searched the internet a lot and found that many hackers use encrypted malicious script, We need to avoid that.
I have no idea what this means?
Here you go
https://medium.com/tenable-techblog/reverse-shell-from-an-openvpn-configuration-file-73fd8b1d38da
All I see is various was to obfuscate running the script using the commands that were mentioned before...
That being said: it is not trivial to write an OpenVPN configuration parser, you also need to consider the blocks etc.
Yes sure I agree, I will follow your order