A Critical 0-day vulnerability was discovered in AtlasVPN for Linux, which can disconnect the AtlasVPN and leak the user’s IP address.
The AtlasVPN, running a daemon on Linux, also runs an HTTP server for accepting CLI (Command Line Interface) commands. This is bound with 127.0.0.1:8076 by default.
It was found that this HTTP server does not have any authentication when running commands. The HTTP server runs the 127.0.0.1:8076/connection/stop endpoint that can receive a POST request. This can be used for disconnecting the AtlasVPN.
AtlasVPN Zero-day vulnerability
AtlasVPN runs a daemon that manages the connection and a client that the user uses for connecting, disconnecting, and listing the services. Instead of connecting with a local socket, the client opens an API on localhost on port 8079, which lacks authentication.
Hence, this port can be accessed by any program that runs on the Linux system. It is also possible for threat actors to run any malicious website that has a script for disconnecting the AtlasVPN, as there is no authentication for accessing the endpoint.
In addition to this, another malicious script can be included, which can also leak the AtlasVPN user’s IP address.
CORS bypass
Though there is a lack of authentication to the endpoint, CORS (Cross-Origin Resource Sharing) is one of the security methods that protects from leaking data to external sources. However, CORS is bypassed since the request meets the definition of a Simple request mentioned by Mozilla.
“Some requests don’t trigger a CORS preflight. Those are called simple requests from the obsolete CORS spec, though the Fetch spec (which now defines CORS) doesn’t use that term.” reads the documentation by Mozilla.
A user named Educational-map-8145 on Reddit publicly released an exploit, and another user provided a proof-of-concept.
Users of this product are recommended to upgrade to the latest version, 1.0.3, to fix this vulnerability.
Source: https://cybersecuritynews.com/atlasvpn-zero-day-vulnerability/
