[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Web openvpn.net

[Openvpn-devel] Possible security bug

  • Subject: [Openvpn-devel] Possible security bug
  • From: Alberto Gonzalez Iniesta <agi@xxxxxxxxxxx>
  • Date: Mon, 3 Apr 2006 12:29:22 +0200

Hi all,

I have just received the following bug report from the Debian Bug Track

From: Hendrik Weimer <hendrik@xxxxxxx>

As described in http://www.osreviews.net/reviews/security/openvpn
OpenVPN contains a security hole that allows a malicious VPN server to
take over connected clients.

OpenVPN allows to push environment variables to a client via 'push
setenv ...'. Using LD_PRELOAD it is possible to run arbitrary code as
root. The only prerequisite is that the attacker needs to control a
file on the victim's computer, e.g. by returning a specially crafted
document upon web access.

A possible solution would be to prefix all pushed environment
variables with something like 'OPENVPN_'.

What's your opinion on this?



Alberto Gonzalez Iniesta    | Formación, consultoría y soporte técnico
agi@(inittab.org|debian.org)| en GNU/Linux y software libre
Encrypted mail preferred    | http://inittab.com

Key fingerprint = 9782 04E7 2B75 405C F5E9  0C81 C514 AF8E 4BA4 01C3

This SF.Net email is sponsored by xPML, a groundbreaking scripting language
that extends applications into web and mobile media. Attend the live webcast
and join the prime developer group breaking into this new coding territory!
Openvpn-devel mailing list