A zero-day in Atlas VPN Linux Client leaks users’ IP address

Experts warn of an Atlas VPN zero-day flaw impacting the Linux client that can reveal the user’s IP address by visiting a website.

A Reddit user with the handle ‘Educational-Map-8145’ published a proof of concept exploit for a zero-day flaw in the Linux client of Atlas VPN. The exploit code works against the latest version of the client, 1.0.3.

The researchers explained that the Atlas VPN Linux Client has two components, a daemon (atlasvpnd) that manages the connections and a client (atlasvpn) that enables users to connect, disconnect, and list services. The Reddit user pointed out that the client does not support any authentication mechanism.

“The client does not connect via a local socket or any other secure means but instead it opens an API on localhost on port 8076. It does not have ANY authentication. This port can be accessed by ANY program running on the computer, including the browser.” reads the post published by ‘Educational-Map-8145’. “A malicious javascript on ANY website can therefore craft a request to that port and disconnect the VPN. If it then runs another request, this leaks the users home IP address to ANY website using the exploit code.”

The exploit code published by the researcher can be uploaded to any webserver, then visiting a site using the linux client for AtlasVPN, it terminates the active Atlas VPN sessions and leaks the IP address.

The PoC uses a hidden frame and sends the API command stop to drop the connection

http://127.0.0.1:8076/connection/stop

and can be sent by any unauthenticated attacker.

The Reddit user claims that Atlas VPN ignored him when he tried to report the issue, but finaly it seems that Atlas VPN recognized the issue and apologized for the problem and the delay in the response.

The company announced that is working to fix the problem.

BleepingComputer reported that cybersecurity engineer Chris Partridge successfully tested the PoC exploit against AtlasVPN Linux client version 1.0.3.

poc AtlasVPN

Atlas VPN Linux client users are recommended to avoid using the software until the issue is fixed.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Atlas)

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.