← Signals
- openvpn
- vpn
- ace
- windows
- exploitarium
news
OpenVPN Connect Echo Script ACE + PAC Push
Malicious server push decodes script.win.user.disconnect via echo option — runs on disconnect despite scriptsPermissionGranted=false.
Summary
Malicious server push decodes script.win.user.disconnect via echo option — runs on disconnect despite scriptsPermissionGranted=false. This proof-of-concept is one of 30 folders in the Exploitarium collection. OFFSITE.DARK summarizes the upstream README and PoC design; we did not discover or weaponize this flaw.
Key Findings
| Finding | Detail |
|---|---|
| Product / target | OpenVPN Connect for Windows (tested builds per PoC) |
| Primitive | push echo base64 script.win.user.disconnect + PROXY_AUTO_CONFIG_URL |
| Impact | Current-user ACE on disconnect; transient PAC AutoConfigURL via dhcp-option push. |
Attack Chain
Import profile → connect → server push → disconnect executes command / applies PAC
Mitigation
Only import VPN profiles from trusted sources; block script pushes at MDM; monitor HKCU AutoConfigURL during VPN.
Related Signals
- Exploitarium collection
- anydesk printer com impersonation poc
- systeminformer phsvc trusted host lpe poc