All Roads Lead to OpenVPN Pwning Industrial Remote Access Clients - Sharon Brizinov - Hack in Paris - 2021

Explore a critical vulnerability in industrial remote access solutions utilizing OpenVPN in this Hack in Paris conference talk. Delve into the intricacies of Work From Home setups in industrial environments, focusing on Programmable Logic Controllers and remote access solutions. Examine OpenVPN's inner workings and traffic patterns to uncover a significant security flaw that can lead to remote code execution on VPN clients. Learn about loose backend parsers, Same-Origin Policy (SOP), and Cross-Origin Resource Sharing (CORS) implications. Investigate the PerFact OpenVPN backend and architecture, and follow a step-by-step guide to prepare an exploit. Gain insights into HMS Networks, Structured Exception Handling (SEH), and the mbDIALUP launcher as part of this comprehensive analysis of industrial VPN security vulnerabilities.

Intro
Agenda
Work From Home: The Industrial Version
Programmable Logic Controller
Remote Access Solution
Under the Hood: OpenVPN
OpenVPN Traffic
So What's the Problem?
Example to a Very Loose Backend Parser
But What About SOP and CORS?
Recap
OK. We Can Start VPN Tunnel, SO WHAT?
But the Config File Must Be Present on the Machine!
PerFact OpenVPN - Backend
Perfact OpenVPN - Architecture
Prepare Our Exploit - Step 1
HMS Networks
SEH 101
mbDIALUP launcher