Security Vulnerability -- An OpenVPN client connecting to a

malicious or compromised server could potentially receive
"setenv" configuration directives from the server which could
cause arbitrary code execution on the client via a LD_PRELOAD
attack.  A successful attack appears to require that (a) the
client has agreed to allow the server to push configuration
directives to it by including "pull" or the macro "client" in
its configuration file, (b) the client configuration file uses
a scripting directive such as "up" or "down", (c) the client
succesfully authenticates the server, (d) the server is
malicious or has been compromised and is under the control of
the attacker, and (e) the attacker has at least some level of
pre-existing control over files on the client (this might be
accomplished by having the server respond to a client web request
with a specially crafted file).

The fix is to disallow "setenv" to be pushed to clients from
the server, and to add a new directive "setenv-safe" which is
pushable from the server, but which appends "OPENVPN_" to the
name of each remotely set environmental variable.


git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@983 e7ae566f-a301-0410-adde-c780ea21d3b5

1 files changed, 8 insertions, 0 deletions

diff --git a/misc.c b/misc.c
index b7eaae9..0c45817 100644
--- a/misc.c
+++ b/misc.c
@@ -870,6 +870,14 @@ setenv_str (struct env_set *es, const char *name, const char *value)
 }
 
 void
+setenv_str_safe (struct env_set *es, const char *name, const char *value)
+{
+  char buf[64];
+  openvpn_snprintf (buf, sizeof(buf), "OPENVPN_%s", name);
+  setenv_str (es, buf, value);
+}
+
+void
 setenv_del (struct env_set *es, const char *name)
 {
   ASSERT (name);