For simplicity, the described prerequisite condition is already met and is not covered in the videos.ġ. A victim on the left, an attacker on the right. Demoīelow I present two videos demonstrating exploitation. ![]() It would give the threat actor full control over the machine. The payload would be executed on the user’s machine with root privileges. The illegitimate API instead of providing details of its own Wireguard server could respond with a command injection payload. It becomes a problem when we consider the first issue. In a typical scenario, it’s not a problem because connection details are controlled by CyberGhost and could be trusted. The file was generated by issuing a shell command that was filled with connection details without proper sanitization. The client parses a response from the endpoint mentioned above and prepares a Wireguard configuration file. Malicious ISPs and hackers exploiting intermediate network devices or DNS servers are also in a perfect position to redirect the traffic. This prerequisite requires an attacker to have the ability to successfully conduct a DNS cache poisoning attack, or to perform ARP spoofing if they’re on the same local network. The only prerequisite to conduct the attack is to make the client connect to the illegitimate API. Such traffic could be analyzed or modified by the threat actor conducting the attack. The user would think that they’re connected to the legitimate CyberGhost Wireguard VPN server, but in fact, their entire traffic would be routed through the malicious server. The server could return connection details to a malicious Wireguard server, and the client would connect to it. This alone is enough to make the client trust an illegitimate server imitating the API. The affected endpoint happened to be responsible for fetching connection details (hostname, port, key) of a chosen Wireguard server. However, in one specific case, the communication had certificate validation disabled. The client always connects to the API over HTTPS. Issue 1 - Lack of certificate validation. Despite these limitations, I would like to present a high-level overview of the issues and possible ways of exploitation. It has been agreed with the vendor that technical details that could be used to reproduce the exploit will be omitted to protect users who have not yet patched their clients. This case is based on two vulnerabilities that can be chained together to achieve code execution by a man-in-the-middle attacker. $ decompyle3 -o out -r cyberghostvpn_extracted Successfully extracted pyinstaller archive: cyberghostvpn Possible entry point: pyi_rth_certifi.pyc Possible entry point: pyi_rth_multiprocessing.pyc ![]() Possible entry point: pyiboot01_bootstrap.pyc $ python3.8 ~/pyinstxtractor/pyinstxtractor.py cyberghostvpn The client executes the locally installed VPN software (OpenVPN or Wireguard) with the downloaded configuration.Īfter these two steps, the user’s machine is connected to one of the CyberGhost VPN servers, and all network traffic is routed through it.The client sends an authenticated request to the CyberGhost API to fetch the VPN configuration.When a user decides to connect to the VPN, two important things happen: Depending on the service type selected, a different underlying protocol is used, and different paths in the code are executed. Users can select their desired VPN server by specifying criteria such as service type (OpenVPN or Wireguard), country, city, and server type (traffic, streaming, or torrent). ![]() Once the client is installed, the same account is used to log in to the client. Introductionīefore we delve into the details of specific vulnerabilities, it may be useful to briefly explain how the CyberGhost VPN Linux client works.Įvery CyberGhost user has an account that is used to log in to the management web panel to manage their subscription and download the client for their desired platform. The latest version of the CyberGhostVPN Linux client is now free from these vulnerabilities. This article discloses the vulnerabilities that were present in the CyberGhostVPN Linux 1.3.5 client (and versions below). During my analysis, I discovered vulnerabilities that could be exploited to achieve local privilege escalation, remote code execution on the user’s machine, or to control the victim’s network traffic. As a Linux user, I was particularly interested in their Linux application and decided to take a closer look at this version of their software. They support many popular platforms, including Windows, macOS, and Linux. CyberGhost is a company that provides VPN services to individual users.
0 Comments
Leave a Reply. |
Details
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |