Find of the day - someone dropped an AtlasVPN #0day on Reddit. The AtlasVPN daemon on Linux runs an HTTP server to accept CLI commands, it binds to 127.0.0.1:8076 by default.
What's hilarious is that it accepts commands without ANY authentication - so if you open a malicious webpage, that webpage can fire a POST to 127.0.0.1:8076/connection/stop and instantly disconnect your VPN.
Utter garbage.
Source: https://www.reddit.com/r/cybersecurity/comments/167f16e/atlasvpn_linux_client_103_remote_disconnect/
Proof below - used AtlasVPN's latest Linux client, version 1.0.3.
Chris Partridge /
npub10t…q8dv4
2023-09-02 21:24:57
Author Public Key
npub10tp0c70xh8376takmzug50le7exeg4zss556mrftd68rmty3x4as0q8dv4Published at
2023-09-02 21:24:57Event JSON
{
"id": "c0d6d9dc05e47859e78471f1fe4488dd7634aec9d67d58e9abd5bc39c5ed4202",
"pubkey": "7ac2fc79e6b9e3ed2fb6d8b88a3ff9f64d9454508529ad8d2b6e8e3dac91357b",
"created_at": 1693689897,
"kind": 1,
"tags": [
[
"t",
"0day"
],
[
"proxy",
"https://cybersecurity.theater/users/tweedge/statuses/110997661135498890",
"activitypub"
]
],
"content": "Find of the day - someone dropped an AtlasVPN #0day on Reddit. The AtlasVPN daemon on Linux runs an HTTP server to accept CLI commands, it binds to 127.0.0.1:8076 by default.\n\nWhat's hilarious is that it accepts commands without ANY authentication - so if you open a malicious webpage, that webpage can fire a POST to 127.0.0.1:8076/connection/stop and instantly disconnect your VPN.\n\nUtter garbage.\n\nSource: https://www.reddit.com/r/cybersecurity/comments/167f16e/atlasvpn_linux_client_103_remote_disconnect/\n\nProof below - used AtlasVPN's latest Linux client, version 1.0.3.\n\nhttps://files.cybersecurity.theater/media_attachments/files/110/997/645/673/129/634/original/233e70179e3c9f90.mp4",
"sig": "ef1c4946190a920034c047cacc626064f38a9240cb2cf7481bc37729a4c0a0a3d7411897bd1614c73cefb50905db07fe9faa92bf357024ad9aa35c5be6ec4a13"
}