FreeBSD : openvpn -- LD_PRELOAD code execution on client through malicious or compromised server (be4ccb7b-c48b-11da-ae12-0002b3b60e4c)
High Nessus Plugin ID 21505
The remote FreeBSD host is missing a security-related update.
Hendrik Weimer reports : OpenVPN clients are a bit too generous when accepting configuration options from a server. It is possible to transmit environment variables to client-side shell scripts. There are some filters in place to prevent obvious nonsense, however they don't catch the good old LD_PRELOAD trick. All we need is to put a file onto the client under a known location (e.g. by returning a specially crafted document upon web access) and we have a remote root exploit. But since the attack may only come from authenticated servers, this threat is greatly reduced.