
Reverse Shell from an OpenVPN Configuration File - wglb
https://medium.com/tenable-techblog/reverse-shell-from-an-openvpn-configuration-file-73fd8b1d38da
======
wepple
The other answer if course is that piping all your internet traffic through a
single 3rd party has some obvious consequences: surveillance and traffic
injection being the obvious ones. If anyone thinks they use TLS extensively;
run a Bro packet analyzer off a cheap switch span port for a month on your
upstream router and prepare to be surprised.

~~~
fibers
Is this possible on a ubiquiti switch?

~~~
whatthesmack
Yes. For UniFi, in the properties of the switch, go to Ports and click on the
edit button for the port that should become the mirror. Then click "+" next to
Profile Overrides. Under Operation, select Mirroring. Type the port number
that should be mirrored and Save. I did this with a UniFi Switch 8 POE-150W.

------
noonespecial
The long and short is that OpenVPN has a way to execute arbitrary system
commands at whatever privileges the OpenVPN daemon has (usually pretty high)
via a config file.

Treat OpenVPN config files the same way you'd treat a bash script you pulled
from the net and were thinking of running as root. IE: read the damn thing
first.

------
CapacitorSet
That's a good example of why permissions should be opt-in, not opt-out.

I recently developed an ElasticSearch plugin and I was positively surprised at
the security model: plugins have to declare the permissions they intend to use
and the user has to explicitly grant them when installing the plugin.

~~~
rjzzleep
Funny you should say that, didn't elasticsearch have a default setting last
year which caused thousands of servers to be compromised?

Amazon even has an article about securing ES

[https://aws.amazon.com/blogs/security/how-to-control-
access-...](https://aws.amazon.com/blogs/security/how-to-control-access-to-
your-amazon-elasticsearch-service-domain/)

EDIT: [https://www.zdnet.com/article/elasticsearch-ransomware-
attac...](https://www.zdnet.com/article/elasticsearch-ransomware-attacks-now-
number-in-the-thousands/)

> Elasticsearch was never meant to be wide-open to internet users. Elastic,
> the company behind Elasticsearch, explained all this in 2013. This post is
> filled with such red-letter warnings as "Elasticsearch has no concept of a
> user." Essentially, anyone that can send arbitrary requests to your cluster
> is a "super user."

~~~
gnur
The free version of elasticsearch still has no real authn/authz/rbac built in.

------
teekert
I think in general reverse SSH tunnels can be extremely risky and very handy.

I've emailed friends scripts with ssh keys that were: "Click and open a tunnel
to my server", I could then help them (i.e. to save images from their
raspberry pi camera directly to webdav. Or I could work on friend's raspberry
pi proximity sensor in his water tank...) Very handy, very risky.

~~~
Piskvorrr
Risky? If you never revoke the SSH keys and use them for accessing normal
accounts, sure.

------
megous
Also since you're creating a tunnel, you should make sure your end is
firewalled correctly from the incomming connections from the other side.
Especially if you're a dev type and may run local services on all interfaces
mindlessly or whatever.

~~~
CloudNetworking
Windows should detect a new network and should ask you about the network's
security level (public, private, domain), thus applying different firewall
rule-sets.

Not sure if other macOS or some Linux distro has anything similar.

------
davidhyde
Excellent article. Sounds like the devs of OpenVPN have not implemented a
proper interface and have instead opted to include a catch all command to be
as flexible as possible. The longer this is in place the harder it will be to
remove - perhaps it's too late. Nuget made the same blunder with their ability
to execute scripts on package install. Now disabled by default. VideoLAN (VLC)
allowed subtitles to become so complex that there were security problems there
too.

A text file used for configuration should not be an executable.

~~~
jacob019
Networking is complex and requires flexibility. Executing arbitrary shell
commands to set up interfaces is useful. Why should I suffer because people
might use a malicious configuration file? If you're in that situation then
you're doing it wrong.

------
brightball
I just finished doing some install automation with Ansible of the ProtonVPN
ovpn configs and I’m happy to report that these settings were not in there.

~~~
prophesi
Not very surprising. I'd imagine it not being very common to find ovpn configs
that both allow user-defined scripts and not require any authentication. This
post should be a warning for any VPN services that -don't- let you look at the
configs you're using.

~~~
jacob019
AFAIK it is not possible to use a configuration file without being able to
look at it, am I missing something?

~~~
jensv
I think some of the free VPN services may hardcode/import a configuration so
your settings areessentially baked in. Your only option is to start and stop
the VPN, and maybe change the server location.

~~~
r3dey3
In that case you're already running code from them so what's the difference if
the "exploit" is in the script or the app.

------
rootsudo
Oh, okay, so user trust on openvpn file == something malicious hidden inside.

