Hendrik Weimer reports:
OpenVPN clients are a bit too generous when accepting configuration options from a server. It is possible to transmit environment variables to client-side shell scripts. There are some filters in place to prevent obvious nonsense, however they don't catch the good old LD_PRELOAD trick. All we need is to put a file onto the client under a known location (e.g. by returning a specially crafted document upon web access) and we have a remote root exploit. But since the attack may only come from authenticated servers, this threat is greatly reduced.
Disclaimer: The data contained on this page is derived from the VuXML document, please refer to the the original document for copyright information. The author of portaudit makes no claim of authorship or ownership of any of the information contained herein.
If you have found a vulnerability in a FreeBSD port not listed in the database, please contact the FreeBSD Security Officer. Refer to "FreeBSD Security Information" for more information.