Exploit/Advisories

The following is my 0day. This code, when executed on any website, disconnects the AtlasVPN linux client and leaks the users IP address. I am not yet aware of it being used in the wild. However, it shows that AtlasVPN does not take their users safety serious, because their software security decisions suck so massively that its hard to believe this is a bug rather than a backdoor. Nobody can be this incompetent. I tried to contact their support to get hold of a security contact, a pgp key or any signs of a bug bounty programme. Nope. No answer.

Root Cause

The AtlasVPN Linux Client consists of two parts. A daemon (atlasvpnd) that manages the connections and a client (atlasvpn) that the user controls to connect, disconnect and list services. The client does not connect via a local socket or any other secure means but instead it opens an API on localhost on port 8076. It does not have ANY authentication. This port can be accessed by ANY program running on the computer, including the browser. A malicious javascript on ANY website can therefore craft a request to that port and disconnect the VPN. If it then runs another request, this leaks the users home IP address to ANY website using the exploit code.

Exploit Code

The following code demonstrates the issue. It can be uploaded to any webserver. When the site is visited, AtlasVPN disconnects and leaks the IP address. Not intended for illegal purposes.

=[ atlasvpnd 1.0.3 remote disconnect exploit ]=
You should be running the atlasvpn linux client and be connected to a VPN.
Use atlasvpn connect to connect to a VPN server.

Greets

Fly out to a certain crafter of trashy maps and my favourite WoW NPC. I hope this makes it into the press. Peace out.