CVE-2013-2692 – Or when your OpenVPN is a bit too open

Advisories

OpenVPN

Secunia

Details

When analyzing the OpenVPN Access Server, it quickly became apparent that the administration interface lacked any basic level of CSRF protection, which was easily demonstrated with a CSRF form like this, which will add a new user with admin privileges, using the username “csrfaccount” and password “qweasd”:

For this to be effective, we need to ensure that the server is configured to use “Local” authentication. This means OpenVPN controls the authentication, rather than using PAM/RADIUS/LDAP. We can do this with these two simple requests:

When we have changed the authentication method, we need to commit the change:

If we do a CSRF attack against a target using these 3 requests(Which can be done with the method described in my post about multi-stage CSRF attacks), we can then authenticate to the OpenVPN AS admin interface using the account details csrfaccount/qweasd. This further allows us to take over the server.

Conditional CSRF – Or how to spray without praying

A part of the goal of my latest project, WordPress CSRF Exploit kit – A novel approach to exploiting WordPress plugins, was to show some novel techniques that I’ve been picking up on in terms of exploitation of web applications and delivering payloads in neat ways. One goal specifically was to deliver an array of different potential payloads depending on specific conditions and not spray and pray. The one that is the most obvious, is whether or not the target has a specific plugin installed. My approach ended up being a somewhat obscure but neat one that others have documented before. Specifically, the onload/onerror attribute on certain HTML elements that pull in outside resources. Lets deconstruct a landing page as you’d see it from the above project:

What we can observe here is a bunch of different image/script tags all pointing to a potential file existing on a remote system which belong to a specific WordPress plugin. In the event that the plugin is not installed on the host, nothing happens. We’re not loading them for display as I’m sure you guessed. Rather, we’re hoping to get the onload attribute invoked, which contains some convenient javascript of ours.

In the event that the vulnerable plugin is detected, in this case we redirect to a page that contains our actual exploit payload. This means we don’t have to send all possible payloads at once, but can have some obscurity until we know we can hit something interesting. Or in other words, you can spray a target and not have to pray that your exploits work, because they won’t trigger unless a target has the plugin you’re targeting.

This approach is not new, as it has been used in the past for things like trying to resolve different host-names/ip/port ranges on an internal network through a hooked browser to scan for other web applications to target. In this case, we’re using this approach to detect the presence of a vulnerable plugin on a, granted that it’s a pre-determined, target. By being able to not have to do up-front poking at a running system, we’re able to achieve a lower turn-around time on delivering a payload that either hits a target or simply just does nothing.

So there you have it. This is probably not an useful approach to take in all cases where you exploit a CSRF vulnerability. But it’s still an interesting approach and hopefully will inspire others to consider thinking about being more sneaky(Don’t spray and pray!) in their exploitation attempts and make full use of the wonderful things HTML and javascript offer you!

Two-stage CSRF attacks

This week I ran into an interesting problem. I was doing some poking around with my DLink DIR-615(EU) router while working on some firmware reverse engineering. It occurred very quickly to me that the router had no protection against CSRF attacks. As with many other routers, the router also doesn’t enforce you to set a password for the Admin account, which simply sets it up for getting owned.

As it turns out, the vulnerability I found was already well-documented, but I saw no exploit which targeted both the CSRF attack and the default weak credentials in a single exploit. This would be needed for even a semi-reliable exploit to be delivered over the internet. I wondered why, and started investigating what would we required.

The target

The DLink DIR-615(EU) runs on a default IP(192.168.0.1) with default credentials being the Admin account with no password. The authentication system is kind of funky, in that on a successful authentication no cookie is set. Rather, it simply authenticates your local IP. I’ve not dug into this much further, but the short version of this story is that you either have to hope that the user has authenticated against the router somewhat recently, or you need to authenticate as a part of the attack.

The two requests we need to make to log in and do something to abuse this CSRF, such as change the admin password and enable remote management, are as following:

 

 The problem

In order to get a reliable CSRF exploit for this, we’d really like a single page we can send an user to, and it takes care of making these requests to do the exploit. But this turned out to be not quite so easy, and googling turned up very few suggestion for how to make several requests in order and time them correctly to allow authentication before the CSRF attack request. Here were some of the ways I tried:

Failed solution 1: A single page with 2 forms, calling document.formname.submit(); in sequence

This didn’t work. What ended up happening is that the login form wasn’t submitted. Also because we submit the form, we end up with the problem that the browser navigates to action URL. This is because of the default target of the form(_self).

Failed solution 2: A single page with 2 forms that has a target _blank or an iframe

Given the navigation issue I encountered in my first attempt, I started testing out how the target of the form affected things. As it turns out, modern browsers are really not big fans of iframes or new windows. Targeting a frame simply didn’t work. And when you use _blank as a target, the user has to explicitly allow it in modern browsers. In order to exploit this reliably, we can’t rely on user interaction.

Failed solution 3: XMLHttp requests

AJAX is wonderful. So I figured why not try and come up with a solution using XMLHttp and a bit of Javascript. This fell flat very quickly, as XMLHttp respects same origin policy.

The solution

A solution to this would require following:

  • Control of timing between requests
  • To still have control of the page the user loaded, even if the form navigates to a target.
  • No popups
  • Little, if any, indication to the user that their router is being owned

My solution ended up being a bit less neat. However it works quite well against any default browser without any noscript and such(Which would break most CSRF attacks requiring to post, unless you want to rely on user input). It’s quite a bit along the line of the idea of setting each form target to a different frame. But since I couldn’t get them to target an iframe in a single page, I split the payload into 3 parts.

  1. Landing page with 2 iframes, each containing their own payload
  2. A login request
  3. A delayed CSRF attack against the vulnerable page as desired

The main landing pages is quite simple, as it just loads each page for execution:

By setting the width and height, all you’re left with is a tiny dot on the screen. This could be mitigated by doing some styling potentially to render it off screen.

Second step is to log in. Here we rely on the fact that the admin user by default does not have any password set.

Nothing fancy really happens here. We just have to make sure that the user is authenticated for our second stage, which is the CSRF attack which exploits the real weakness in the router:

The key here is that while the first login iFrame is loaded straight away, we have to wait to make sure that the request happened. This could be anything from 5ms to a second. In this case, we wait 5000ms to be safe. This could likely be lowered a lot.

This was validated against the EU version of the D-Link DIR-615 with 8.0A firmware. And while it probably could be optimized quite a bit and made a lot prettier/subtle, it addresses something which I couldn’t find a solution to easily on Google/WAHHv2. This could potentially be a lot simpler against a target that accepts a GET requests to do the same. But this will work for both by simply changing the method in the form.