Find of the day - someone dropped an AtlasVPN #0day on Reddit. The AtlasVPN daemon on Linux runs an HTTP server to accept CLI commands, it binds to 127.0.0.1:8076 by default.
What's hilarious is that it accepts commands without ANY authentication - so if you open a malicious webpage, that webpage can fire a POST to 127.0.0.1:8076/connection/stop and instantly disconnect your VPN.
Utter garbage.
Source: https://www.reddit.com/r/cybersecurity/comments/167f16e/atlasvpn_linux_client_103_remote_disconnect/
Proof below - used AtlasVPN's latest Linux client, version 1.0.3.
Really great question in the comments - how does this exploit bypass CORS?
The request to the AtlasVPN daemon meets the definition of a "simple request" - for legacy/compatibility reasons, servers don't have to "opt in" to receive requests that look like form submissions. :')
https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS#simple_requests
@tweedge Why is this even a thing...
Someone has INTENTIONALLY added that.
@tweedge CORS is just a suggestion anyway. The client has to choose to enforce it.
@tweedge the fuck??? What is that even used for?
@benjistokman Looks like the VPN daemon is always running, even when it's not connected, and the VPN takes commands from that HTTP server. Here's it that same server listening when the VPN is not connected:
@tweedge This raises so many questions around how that entire VPN client is architected.
@tweedge TIL: CORS has a concept of Simple requests
(https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS#simple_requests)
@tweedge "But it's only running on localhost! It's secure from network attacks!"
@tweedge Really browsers should just add a default enabled option to block all cross origin requests or redirects to localhost (or domains that map to localhost), or at least force CORS for 'em all. Or something like that.
Would break some stuff, but there's a ton of insecure software out there.
(That said I have no idea what I'm talking about, security not really my area :D)
@zoe Super related, kudos to @mark22k for bringing up JShelter! https://jshelter.org/
It has network request monitoring to prevent access to localhost et al, among a bunch of other nice privacy/security features. Nice to have this a bit more controlled in case other developers get bad ideas ...
@tweedge The JShelter plugin can also protect against this.
@mark22k Hadn't heard of this - I like that it's applying a number of reasonable, forward-thinking controls. Nice to see!
@tweedge no biggie - the AtlasVPN is just a clumsy wrapper for wireguard. Its windows client uses named pipes and it is a fully open entry hole and can easily give full priv escalation.
@tweedge really feels like the bar for something to be called an exploit is becoming too low. This is working as intended (tm) in the worst possible way