Introducing NachoVPN: One VPN Server to Pwn Them All

Is Your Corporate VPN Client Providing Access to More Than Just Your Employees?

What would happen if you connected to the wrong VPN endpoint? Well, that depends on which VPN client you’re using and who was controlling the server.

During our recent talk at SANS HackFest Hollywood 2024 titled Very Pwnable Networks: Exploiting the Top Corporate VPN Clients for Remote Root and SYSTEM Shells, we shared details of how vulnerabilities in leading corporate VPN clients can be exploited by attackers. In this presentation, we presented the details of how we discovered vulnerabilities in the most popular and widely used corporate VPN clients, and how these vulnerabilities could be exploited by attackers to gain Remote Code Execution on both macOS and Windows Operating Systems.

Today, we are thrilled to announce the release of NachoVPN, an open-source tool that demonstrates the attack scenarios we discussed and helps security professionals understand and mitigate these risks. Alongside NachoVPN, we are also publishing detailed advisories for the vulnerabilities we uncovered.

Background

VPN clients are indispensable for secure remote access, but their elevated system privileges present an enormous attack surface. Our research focused on widely used corporate VPN clients, encompassing both traditional SSL-VPN clients and modern Zero Trust solutions. We identified flaws in their trust relationship with VPN servers, showing how attackers could exploit these tools to gain privileged access with minimal interaction.

This research was not limited to hypothetical scenarios. Through attack simulation exercises, we demonstrated how these vulnerabilities could compromise end-user devices in real-world enterprise environments. By targeting the implicit trust VPN clients place in servers, attackers can manipulate client behaviours, execute arbitrary commands, and gain high levels of access with minimal effort.

NachoVPN serves as a proof-of-concept tool to simulate rogue VPN servers capable of exploiting these vulnerabilities. It showcases how insecure behaviours in VPN clients can be leveraged to gain privileged code execution. The tool is platform-agnostic, capable of identifying different VPN clients and adapting its response based on the specific client connecting to it. It is also extensible, encouraging community contributions and the addition of new vulnerabilities as they are discovered.

If you missed our talk at HackFest Hollywood 2024, you can catch up by watching the recording on the SANS YouTube channel, and download the presentation slides from GitHub. These resources provide a deeper dive into the technical details of our findings and practical advice for mitigating these risks.

SANS also invited Ashton Rodenhiser of Mind’s Eye Creative to create a live graphic recordings of the talks. The graphic from our talk can be found below:

Credit: Ashton Rodenhiser

Credit: Ashton Rodenhiser

Tool Release

The source code for NachoVPN is now available on GitHub. It includes usage instructions, example configurations, and a detailed README to guide researchers and developers. NachoVPN has been released under the MIT license.

Advisories

Alongside NachoVPN, we are publishing detailed advisories documenting the vulnerabilities disclosed during our presentation. These advisories include technical descriptions, attack vectors, and mitigation recommendations to help organisations protect themselves against these threats. By sharing this information, we aim to raise awareness and drive improvements in the security practices of both developers and end-users. The advisories can be found at the following links:

Future Work

This blog post marks the beginning of our broader effort to improve VPN client security. With NachoVPN and the accompanying advisories, we aim to equip the security community with the tools and knowledge needed to better protect against these threats. VPN client vulnerabilities represent a novel and underexplored attack surface. We encourage further research and investigation in this area and advocate for stricter policies to harden end-user builds and configurations, reducing exposure to malicious VPN servers.

We look forward to seeing how NachoVPN and our research contribute to the broader security landscape. Follow us on Twitter and Bluesky, and stay tuned for more updates!

You May Also Like