OVPNX: 4 Zero-Days Leading to RCE, LPE and KCE (via BYOVD) Affecting Millions of OpenVPN Endpoints Across the Globe
OVPNX serves as our internal codename for 4 zero-day vulnerabilities discovered within the repositories of OpenVPN, the world's most popular VPN. Those zero-days affect thousands of companies on major platforms like Windows, iOS, macOS, Android, and BSD. With millions of devices worldwide utilizing OpenVPN, our findings shed light on security risks on a global scale.
This session will explore the technical intricacies of our research, revealing how we uncovered these zero-days in OpenVPN. OpenVPN, being a complex multi-process system running across different privilege levels, including kernel components, relies heavily on OS APIs. We'll explain how this understanding helped us identify logical vulnerabilities. The actual exploits additionally demanded a deep inspection at the bit and byte level and using reverse engineering. Attendees can expect a comprehensive description of a subset of identified zero-days, including a detailed root-cause analysis.
We will be focusing on demonstrating an exploit chain that starts with remote code execution. The chain starts by remotely attacking OpenVPN's plugin mechanism, then we crash the NT System service by exploiting the stack overflow in OpenVPN system service. This results in a named pipe instance creation race condition that allows us to reclaim OpenVPN's named pipe resource. Afterward, we will present an exploit that will impersonate a privileged user, resulting in privilege escalation and eventually leading to kernel code execution by BYOVD (bring your own vulnerable driver) by loading a vulnerable signed driver.
The presentation will also cover mitigation techniques, providing valuable insights into defending against potential attack scenarios. A demo will be presented, displaying a complete attack chain that includes RCE, LPE and KCE (via BYOVD) on the target system.
By:
Vladimir Tokarev | Senior Security Researcher, Microsoft
Full Abstract Available:
https://www.blackhat.com/us-24/briefings/schedule/#ovpnx--zero-days-leading-to-rce-lpe-and-kce-via-byovd-affecting-millions-of-openvpn-endpoints-across-the-globe-38900