![]() rw-r-r- 1 root root 516 May 2 14:52 exportsĭrwxr-xr-x 2 root root 4.0K May 2 14:52 include This reveals our first bug - who can spot it? ls -lah /usr/local/openvpn_asĭrwxr-xr-x 9 root root 4.0K May 30 22:29. It's also in the 'tmp/initial_ovpn_pass' file, in a format better suited for scripting. OK, great, so the default password is put in this init.log file, which logs a load of information about the installation process. To login please use the "openvpn" account with "vpsRK3ishLxi" password. Let's delve into the filesystem and look for it - grep pass /usr/local/openvpn_as/* Great, but what's the default password? I can't remember setting one during the installation. There's also an evaluation version of the server available for download, so let's install it and take a look around!Īfter installing, we are presented with a nice login page via HTTPS on port 943. Neat!Īs a closed-source application frequently exposed to untrusted users (by necessity), this seems like a good place to hunt for critical bugs. AS will even serve a customised version of the OpenVPN client installer, with the necessary configuration and certificates injected, so that your users can easily connect to the VPN without administrative oversight. ![]() The users themselves can also log into OpenVPN AS, at which point they are presented with the option to download a configuration file which they can use to connect to OpenVPN itself. ![]() You can then add or delete users, with AS taking care of signing and revoking certificates. Setting up this PKI can be fiddly, so AS will take care of this for you, setting up it's own CA cert on installation. Those who have managed an OpenVPN installation will be aware that it usually uses a proper PKI-based authentication flow, with a CA certificate which signs a certificate for each client. For the sake of brevity I'll refer to "OpenVPN Access Server" simply as AS from now on. Not to be confused with "OpenVPN" itself, which is a VPN daemon, "OpenVPN Access Server" is a tool to manage your installation of OpenVPN. So, in this audit, we're looking at "OpenVPN Access Server", or "OpenVPN AS". Those interested in auditing such codebases may find it interesting, as may those interested in the gory details of the bug-hunting process, but if you're just here to find the latest 0day you may want to skip this post! This audit also highlighted a few oddities that could have become world-ending bugs in the future, had we not found them and brought them to the attention of the vendor.Ī word of warning - this isn't going to be the usual 'actionable' blogpost, but represents more of a 'stream of consciousness' as I recollect this audit. Today I'd like to share one such journey, which (spoilers!) didn't yield anything high-impact, but exposed a few weird eccentricities into the codebase which some technical readers might find interesting. ![]() These audits are always a "journey", in some sense of the word, progressing from a state of little knowledge about the target codebase into a state of heightened awareness of its foibles. Usually in these case, we work with the software vendor to have these bugs fixed to support strength within a codebase. Typically, during these audits, we are concerned with high-impact, 'world-ending' vulnerabilities, but often we notice smaller bugs which have limited impact, or even those which have no impact at all but severely weaken the general security posture of a codebase. This feeds our ability to keep external attack surfaces secure, as we can find and fix vulnerabilities before exploitation can affect our clients. ![]() Here at watchTowr, we like to proactively audit security-critical codebases which we notice our clients rely on. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |