Heartbleeding an OpenVPN server

Apr 21, 2014

Everyone has been atwitter lately over the heartbleed bug which motivated me to look into what lesser known implementations of OpenSSL might be vulnerable. My ddwrt home router seemed like a good choice because releasing and installing updates isn’t as ubiquitous for firmware as it is for desktop software. I started by looking into the HTTP admin interface.

httpd

I identified the web server by browsing the source code and found that SSL was most likely performed by MatrixSSL. I confirmed that the readily available proof of concept scripts did not work against this interface and continued looking for other options.

OpenVPN

OpenVPN was an even more attractive option because it will accept connections on the WAN interface in most configurations. The OpenVPN documentation indicated that they can link against OpenSSL or PolarSSL. I could not find any documentation of the versions included in a specific ddwrt release to determine if my setup was vulnerable, but I was able to find a forum post that indicated it was vulnerable.

Great! But now I wanted to try and exploit myself.

I researched the protocol, examined some pcaps, and wrote a simple script that:

  1. Listens for incoming TCP connections
  2. Wraps all data from the connected TCP stream into UDP packets following the OpenVPN spec for forwarding to the OpenVPN server
  3. Strips the OpenVPN headers from the UDP packets and plays them back to the client over TCP

This simple TCP to OpenVPN UDP proxy server allowed me to successfully run the various POC’s against my ddwrt router.

You can grab the heartbleed-openvpn-poc on my Github.

Fix it!

The OpenVPN wiki has a great page on what you can do to fix/mitigate this vulnerability.

Unfortunately, updated binaries have not been released yet for my router :-(


Tags: