Researcher Finds Critical OpenVPN Bug Using Fuzzing (zdnet.com)

← Back to Stories (view on slashdot.org)

Researcher Finds Critical OpenVPN Bug Using Fuzzing (zdnet.com)

Posted by EditorDavid on Saturday June 24, 2017 @06:42AM from the bug-hunt dept.

"Guido Vranken recently published 4 security vulnerabilities in OpenVPN on his personal blog," writes long-time Slashdot reader randomErr -- one of which was a critical remote execution bug. Though patches have been now released, there's a lesson to be learned about the importance of fuzzing -- bug testing with large amounts of random data -- Guido Vranken writes: Most of these issues were found through fuzzing. I hate admitting it, but...the arcane art of reviewing code manually, acquired through grueling practice, are dwarfed by the fuzzer in one fell swoop; the mortal's mind can only retain and comprehend so much information at a time, and for programs that perform long cycles of complex, deeply nested operations it is simply not feasible to expect a human to perform an encompassing and reliable verification.
ZDNet adds that "OpenVPN's audits, carried out over the past two years, missed these major flaws. While a handful of other bugs are found, perhaps OpenVPN should consider adding fuzzing to their internal security analysis in the future."

Guido adds on his blog, "This was a labor of love. Nobody paid me to do this. If you appreciate this effort, please donate BTC..."

47 comments

Min score:

Reason:

Sort:

...this isn't SOP already? by Anonymous Coward · 2017-06-24 06:45 · Score: 0

No wonder software is such shit today.
Donate by war4peace · 2017-06-24 06:55 · Score: 1, Offtopic

We should donate TitCoin, CannabisCoin, PotCoin and the like. BTC is too mainstream.

--
...gis sdrawkcab (usually not responding to ACs; don't bother posting as AC)
1. Re: Donate by K.+S.+Kyosuke · 2017-06-24 21:18 · Score: 1
  
  Why do you prefer Titcoin over Buttcoin?
  
  --
  Ezekiel 23:20
Cheers by Anonymous Coward · 2017-06-24 07:10 · Score: 0

This is how FOSS is supposed to work. Different people with different skillsets all contributing their time and talents to make free software better for everyone. Thanks from some random person who uses OpenVPN but can't code for shit.
1. Re:Cheers by Anonymous Coward · 2017-06-24 08:56 · Score: 0
  
  How FOSS is supposed to work often bears little resemblance to how it is actually working. You have a lot of good conscientious programmers who do their part but you also have the programmers who use the openness to create exploits that do nobody any good. And as software complexity has increased and more scrutiny has been placed upon security in both open and closed source applications the chances of finding exploitable weaknesses just by looking at the source code are poor. The low hanging fruit is gone. Most new exploits use the user vector as the launch mechanism and target old software versions and systems that have not been kept up to date with the latest patches. There are still 0-day exploits in the wild and they will be guarded well by those who discover them. Intelligence agencies will vaccinate their own systems to the exploit and try to save the exploit to use on something very worthwhile. Cyber-criminals also keep these 0-days closely held until they can reap the most rewards for selling it or using it themselves.
2. Re:Cheers by turbidostato · 2017-06-24 10:52 · Score: 1
  
  "There are still 0-day exploits in the wild and they will be guarded well by those who discover them. Intelligence agencies will vaccinate their own systems to the exploit"
  They probably shouldn't, except for their most valuable targets (if any: they most probably should let the systems go unpatched but look for a remediation elsewhere).
  You don't think our enemies are hand on hand, right? They probably (but not surely) will have developed their own hacks and the one way to be sure if the enemies have found them is trying to attack them and see their response: if they are protected, then as sure as hell they know about the vulnerability and how to exploit it too.
The power of brute force by Dutch+Gun · 2017-06-24 07:18 · Score: 4, Interesting

Fuzzing is essentially harnessing the power of our modern computational power in a brute force fashion, combined with the knowledge that many errors (especially crashes), by nature, can be leveraged into an exploit.
In my own scripting language project, I have two fuzz tests I perform - I first fuzz a set of source scripts, and in another test, I fuzz a set of compiled bytecode, which exercises both the lexer/parser and runtime interpreter phases. I didn't even bother with a library either, just a small routine that randomly swaps and corrupts source from the original. It's really amazing how simple something like that will catch so many bugs.
Honestly, I was implementing this just for the sake of robustness. No one but me is using the library yet, and it's just for local use in my game engine. But if you're connected to the internet in any way, there's really no excuse these days for not having a set of fuzzing tests you regularly run during your normal regression testing, and there are some great libraries available to help do this. You can even leverage Google's massive computational resources for testing for free (perhaps even get paid a small bounty) if your project is important enough, which OpenVPN certainly is. Hopefully the OpenVPM devs/maintainers take note of this and make this happen, and we'll all be more secure for it.
BTW, if you ever want to read about an incredibly comprehensive test and regression suite, check out SQLite's description of their testing methodology: https://www.sqlite.org/testing...

--
Irony: Agile development has too much intertia to be abandoned now.
1. Re:The power of brute force by phantomfive · 2017-06-24 08:00 · Score: 1
  
  What do you use to do your fuzzing? Did you write a custom set of tools?
  
  --
  "First they came for the slanderers and i said nothing."
2. Re:The power of brute force by Dutch+Gun · 2017-06-24 08:52 · Score: 3, Interesting
  
  Nothing so grandiose. Just small class that randomly corrupts bytes in a memory buffer or string. Basically, it first chooses a random 0-100% odds of corruption, then iterates through each byte in the buffer, and if another random value is greater than the corruption odds, I replace the existing byte with a random one. Stupidly trivial, but still caught a number of crashes in rare corner cases I probably never would have found any other way.
  It took a tiny bit more work to set up the test scenario, which was to create an array of sample scripts (called the "corpus", as I understand it), then loop through those in a parallel array (in two phases, as I mentioned), starting with a known seed value so I can reproduce a crash as needed. Not counting the embedded corpus scripts, it was less than 150 lines of code.
  
  --
  Irony: Agile development has too much intertia to be abandoned now.
3. Re:The power of brute force by Anonymous Coward · 2017-06-24 08:56 · Score: 0
  
  Fuzzing is essentially harnessing the power of our modern computational power in a brute force fashion, combined with the knowledge that many errors (especially crashes), by nature, can be leveraged into an exploit.
  Are you the CEO of a tech company? You seem to have mastered the completely uniformative style of CEO-talk.
4. Re:The power of brute force by phantomfive · 2017-06-24 08:58 · Score: 1
  
  Nice.
  
  --
  "First they came for the slanderers and i said nothing."
5. Re:The power of brute force by AHuxley · 2017-06-24 12:10 · Score: 1
  
  The tools exist or find a very, very smart person.
  
  --
  Domestic spying is now "Benign Information Gathering"
6. Re:The power of brute force by phantomfive · 2017-06-24 12:33 · Score: 1
  
  Read the real answer
  
  --
  "First they came for the slanderers and i said nothing."
Stop with the lies! by Anonymous Coward · 2017-06-24 07:21 · Score: 0

Clearly, this is a lie since Open Sores software would not have such issues!
I'm safe from this attack by Anonymous Coward · 2017-06-24 07:30 · Score: 0

Fortunately we're using unencrypted PPTP on Windows RRAS server.
This must be AI by 110010001000 · 2017-06-24 07:35 · Score: 0

This guy missed his opportunity. He SHOULD have called it "AI Fuzzing" or "AI NN Fuzzing". The donations would have been rolling in. No one is interested in plain old software in 2017.
1. Re: This must be AI by Anonymous Coward · 2017-06-24 10:41 · Score: 0
  
  Somebody has probably already filed patents and trademarks for Deep Integrated Convolutional Kernel Fuzzing, or DICK FUZZ for short.
perhaps, perhaps, perhaps. by darthsilun · 2017-06-24 07:37 · Score: 2

...perhaps OpenVPN should consider adding fuzzing to their internal security analysis in the future."
This is FOSS software. If someone is doing fuzzing testing, they should jump in and contribute it. I can't imagine that the OpenVPN project, or any other FOSS software project would say no to such a contribution.
Those who stand around and offer lame suggestions like "$project should do this" are useless IMO.
I'm currently paid to work on FOSS software. There's a lot of things we need to do. There aren't enough resources to do all of them. One thing we definitely don't need are "helpful" comments like this from the peanut gallery.
1. Re: perhaps, perhaps, perhaps. by Anonymous Coward · 2017-06-24 08:20 · Score: 0
  
  Fuzzing only exposes things. Fixing them could require starting from scratch.
2. Re:perhaps, perhaps, perhaps. by Dutch+Gun · 2017-06-24 08:26 · Score: 1
  
  Yes, how dare a security researcher make a suggesting that might help a project find and mitigate future bugs after discovering some very serious issues using the aforementioned techniques. I mean, it's not like security is a core feature of a VPN anyhow. I'm sure they have much better things to do with their time than to harden their library using well-known methodologies that many others are using to enhance security and robustness their products.
  
  --
  Irony: Agile development has too much intertia to be abandoned now.
3. Re: perhaps, perhaps, perhaps. by Anonymous Coward · 2017-06-24 08:32 · Score: 0
  
  One thing we definitely don't need are "helpful" comments like this from the peanut gallery.
  Ahh, the good old snobby, elitist, holier than thou, "fuck your suggestions, it's open source, YOU do something about it ya jackass!" mentality. From someone paid to work on OSS, no less!
  Then out of the other side of your mouth it's "gee whiz, why aren't more people helping contribute to this project? :'-(" Hmm, I wonder why?
4. Re: perhaps, perhaps, perhaps. by ShanghaiBill · 2017-06-24 09:58 · Score: 1
  
  Fuzzing only exposes things. Fixing them could require starting from scratch.
  Most of the exposed bugs are in input validation. Once you have a repeatable test case, those sorts of bugs are usually pretty easy to fix.
5. Re: perhaps, perhaps, perhaps. by Entrope · 2017-06-24 10:43 · Score: 1
  
  You can contribute the scripts and configuration to run fuzzers. Presumably the developers know how to fix crashes, but they might not have the same level of expertise in setting up a fuzzer as the prospective contributor.
6. Re:perhaps, perhaps, perhaps. by LostMyBeaver · 2017-06-24 11:08 · Score: 1, Flamebait
  
  Security researchers are generally quite useless. When the report came out that OpenVPN was blessed as being secure by some high profile security researchers, I immediately went to the code base and within about 20 minutes just left as I found from a very brief review of the code an endless pile of likely attack vectors for the code. The only reason by the code was considered secure is because a security researcher ran nmap or Kali against it and it held up.
  
  I turned up far more holes in that code through visual analysis for 20 minutes than this guy did fuzzing with far more resources. The OpenVPN code is among some of the worst code I've come across in a while. It's almost bad enough to be a VMware linux guest kernel driver.
  
  I would have started making bug reports but honestly, that code is roughly what you'd expect from a research project for testing new ciphers. The amount of time it would take to list just the problems in their certificate code alone and provide meaningful test data would be far beyond what I'd be willing to invest in a piece of code that takes security so lightly.
  
  I would say that OpenVPN is still many steps away from being ready for fuzzing. It would profit far more from a decent code review by people who understand programming theory, then by people who understand code security. It would help a lot if people who understood certificates AND programming looked as well.
  
  So... while darthsilun is a bit of an ass with his wording, I'll say this, the poster begging for bitcoins for writing a 10 line script to try and crash OpenVPN really isn't being too helpful by saying "they should do this" where in reality, he should download the source code, add his test to the code, then check it in. This is how open source works.
  
  If he believes the project should do this, then he should join the project. But simply writing a fuzzing script and tossing it at the code isn't productive. It's like standing and saying
  "Someone should help this little old lady cross the street"
  "Why don't you help her"
  "I believe it would be better if I simply stand here and watch for other little old ladies so I can say someone should help them"
  
  OpenVPN is crap code. it's an endless pile of :
  - Linux kernel style shit C code with no input validation,
  - Absolute dependence on meaningless and generally ignored return codes
  - Spaghetti crap of "look mom, I wrote my own string compare function"
  - Function before anything else
  - Wow, we do certificates!!! Do you actually validate the certificate while parsing? Nope... we'll just assume that no one but nice people will send us certificates
7. Re: perhaps, perhaps, perhaps. by Anonymous Coward · 2017-06-24 11:13 · Score: 0
  
  The difference:
  1. Everyone can help an old lady cross the street.
  2. If you help an old lady cross the street, onlookers aren't going to bitch about your method, or run up and stand in front of you and push you and the old lady back to where you started because you didn't follow the complicated approved method and process.
8. Re: perhaps, perhaps, perhaps. by Zero__Kelvin · 2017-06-24 12:03 · Score: 1
  
  Give us some examples so we can review your claims.
  
  --
  Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
9. Re:perhaps, perhaps, perhaps. by Anonymous Coward · 2017-06-24 15:12 · Score: 0
  
  It would profit far more from a decent code review by people who understand programming theory, then by people who understand code security. It would help a lot if people who understood certificates AND programming looked as well.
  
  Sorry but that is not enough, you should also understand the intricacies of encryption and the difficult mathematics behind it. Nobody can exactly audit those magic numbers and random primes on source files.
10. Re: perhaps, perhaps, perhaps. by Anonymous Coward · 2017-06-24 17:18 · Score: 0
  
  He can't, his neurosis manifests in telling everyone how smart he is.
11. Re: perhaps, perhaps, perhaps. by darthsilun · 2017-06-25 01:13 · Score: 1
  
  One thing we definitely don't need are "helpful" comments like this from the peanut gallery.
  Ahh, the good old snobby, elitist, holier than thou, "fuck your suggestions, it's open source,
  Coming from a snobby elitist holier than thou "do what I tell you and shut the fuck up". The irony is so thick you can cut it with a knife.
  We already know we need to do stuff like run fuzzers. Suggestions like that are not the least bit helpful you stupid dumbfuck.
  When people have constructive contributions they want to give us, we help them integrate them. When nitwits like you shout at us from the peanut gallery we ignore you.
  In case you were wonder why we're ignoring you
12. Re:perhaps, perhaps, perhaps. by Anonymous Coward · 2017-06-26 00:54 · Score: 0
  
  One thing we definitely don't need are "helpful" comments like this from the peanut gallery.
  Is the passive aggressive tone really necessary?
a giant fuzzing huzzah from the short bus by epine · 2017-06-24 07:44 · Score: 0

The stupidity of this claim is mind-blowing.
Take any process A which catches a great many errors.
Follow it up by any B process, which finds a different set of errors, possible a very narrow set.
Sit back, eat popcorn, watch process B blow process A out of the water.
"No matter how hard we crank on process A, the supplementary process B always catches things that the A process missed. I kind of hate to admit this, but I'm dumb enough at this point to convince myself that process B is inherently superior to process A."
Well, I for one, don't welcome our new short-bus overlords.
The track record for human inspection goes up exponentially when the humans involved relentlessly pare away non-essential functionality. Non-essential function almost always has a political origin.
Bottom line: anything of political origin needs to be aggressively fuzz tested. Conclude about politics what you will.
1. Re: a giant fuzzing huzzah from the short bus by Anonymous Coward · 2017-06-24 08:23 · Score: 0
  
  Who shit in your cheerios?
  Fuzzing is legit, black hats do it too so it's good we got someone who will actually say what he found. Even if he has no idea how to fix at least the issue is known.
This was a labour of love, so.... by innocent_white_lamb · 2017-06-24 09:36 · Score: 0

This was a labour of love, so now give me money.
??
There's a serious disconnect in there.

--
If you're a zombie and you know it, bite your friend!
1. Re: This was a labour of love, so.... by Zero__Kelvin · 2017-06-24 12:13 · Score: 1
  
  Not if you love security, fuzzing, and money :^)
  
  --
  Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
OK whew, authenticated users escalating/exploiting by Wrath0fb0b · 2017-06-24 09:57 · Score: 1

the three server flaws require the attacker be authenticated in order to exploit.
That's the good news and the bad news. It's good because it means script kiddies aren't going to be drive-by-exploiting every old unpatched DD-WRT, and that generally many of us will be kinda safe.
It's bad news because it's a huge deal both for VPN providers (kind of the obvious case) but also in the context of giving an attacker with RCE on a single client a huge vector to move laterally throughout a corporate network. I'm sure the original audit focused the majority of attention on the authentication code, but that leaves the rest of the threat model under audited.
Oh contraire... by Anonymous Coward · 2017-06-24 11:29 · Score: 0

No one is interested in plain old software in 2017.
Everything appearing on the web is plainer than plain old software. Haven't you been reading Slashdot the past few months? Everyone is CRAVING plain old software with menus and normal shit that actually works the way it looks like it should.
Re:OK whew, authenticated users escalating/exploit by AHuxley · 2017-06-24 12:19 · Score: 1

The threat model is gov/mil/security services.
https://en.wikipedia.org/wiki/... will find a VPN user.
"Showing the usage of virtual private networks (VPNs) and machines that can potentially be hacked via TAO."
Thats why most governments have few or no laws or comments about the about encrypted VPN use. Revealed: how US and UK spy agencies defeat internet privacy and security (September 2013)
https://www.theguardian.com/wo...
"... Edge hill's initial aim was to decode the encrypted traffic certified by three major (unnamed) internet companies and 30 types of Virtual Private Network (VPN) ..."

--
Domestic spying is now "Benign Information Gathering"