Very Pwnable Networks: Exploiting the Top Corporate VPN Clients for Remote Root and SYSTEM Shells

Have you ever been migrated to a new corporate VPN endpoint? What if you were told to connect to something that wasn't a real VPN endpoint at all? What's the worst that could happen? In this session, we show how just one click can allow an attacker to gain remote code execution and escalate privileges on both Windows and macOS.

We take a look at corporate SSL-VPN clients to see what happens when you can encourage, or force, them to connect to a malicious server. We'll go through the general methodology applied to reversing the VPN protocols for some of the most widely used clients and end with everyone's favourite thing: Remote Root and SYSTEM shells.

We'll be diving into how the trust relationship between the VPN client and server works, and how it can be abused to trick the client into changing settings, performing updates, and ultimately running arbitrary code in a privileged context. As these techniques use legitimate VPN functionality, they're hard to patch, but we'll give the audience mitigations that they can apply immediately if they're running one of the affected products, and practical advice that applies generally to VPN client products.

The presentation will include demos of exploitation of four major VPN clients, across Windows and macOS operating systems - some of which can be triggered by simply visiting a malicious website. We'll leave you with an open-source exploit framework that automatically identifies and exploits any of the affected VPN clients that connect to it, and suggestions of how this can be utilised effectively in offensive security operations.

Our talk aims to provide our audience with the following 3 takeaways:

1. Communication between a VPN client and server is worth exploring as a novel and previously underexplored attack surface and is likely to be a fruitful area for further research and investigation beyond the scope of this talk.

2. VPN clients are trusting and subservient to the VPN server's instructions, and end-user builds and VPN configurations should be hardened to prevent connections to unknown VPN endpoints - this sounds relatively obvious but across the vast majority of our attack simulation engagements this has not been the case, so this talk aims to highlight the risk of this configuration and raise awareness of the possible mitigations.

3. Awareness of this technique (RCE via rogue VPN servers/targeting VPN clients remotely) is currently low despite its potential for significant impact, and attendees of this presentation should feel empowered to help change this. Offensive security practitioners should be better able to introduce this type of attack into their attack simulation exercises, and defenders should be better equipped to identify, detect, and respond to these challenges as and when they happen.

SANS HackFest Hollywood Summit 2024
Very Pwnable Networks: Exploiting the Top Corporate VPN Clients for Remote Root and SYSTEM Shells
Richard Warren, Red Team Operator, AmberWolf
David Cash, Red Team Operator, AmberWolf

View upcoming Summits: http://www.sans.org/u/DuS