OSVDB ID: 24444

Title: OpenVPN LD_PRELOAD Environment Variable Pushing Arbitrary Code Execution

Info

Disclosure

Apr 05, 2006

Discovery

Unknown

Dates

Exploit

Unknown

Solution

Unknown

Description

OpenVPN contains a flaw that may allow a malicious user to execute arbitrary code. The issue is caused due to OpenVPN clients allowing the server to transmit environment variables including LD_PRELOAD to client-side shell scripts via 'setenv' configuration directives. It is possible that the flaw may allow arbitrary code execution by placing and loading a file in a known location resulting in a loss of integrity.

Classification

Location: Remote / Network Access
Attack Type: Input Manipulation
Impact: Loss of Integrity
Exploit: Exploit Rumored
Disclosure: OSVDB Verified, Vendor Verified

Solution

Upgrade to version 2.0.6 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

Products

OpenVPN	OpenVPN	2.0
		2.0.1
		2.0.2
		2.0.3
		2.0.4
		2.0.5

References

Bugtraq ID: 17392
Secunia Advisory ID: 19531 19598 19837 19897
CVE ID: 2006-1629 (see also: NVD)
SCIP VulDB ID: 2128
ISS X-Force ID: 25667
VUPEN Advisory: ADV-2006-1261
Vendor Specific News/Changelog Entry: http://openvpn.net/changelog.html
http://sourceforge.net/mailarchive/forum.php?thread_id=10093825&forum_id=8482
Vendor URL: http://openvpn.sourceforge.net
Vendor Specific Advisory URL: http://www.novell.com/linux/security/advisories/2006_04_28.html
Other Advisory URL: http://www.osreviews.net/reviews/security/openvpn-print
http://www.us.debian.org/security/2006/dsa-1045
http://wwwnew.mandriva.com/security/advisories?name=MDKSA-2006:069

Credit

Hendrik Weimer - hendrikenyo.de -

Direct URL: http://osvdb.org/24444