Pierluigi Paganini September 06, 2023

Experts warn of an Atlas VPN zero-day flaw impacting the Linux client that can reveal the user’s IP address by visiting a website.

A Reddit user with the handle ‘Educational-Map-8145’ published a proof of concept exploit for a zero-day flaw in the Linux client of Atlas VPN. The exploit code works against the latest version of the client, 1.0.3.

The researchers explained that the Atlas VPN Linux Client has two components, a daemon (atlasvpnd) that manages the connections and a client (atlasvpn) that enables users to connect, disconnect, and list services. The Reddit user pointed out that the client does not support any authentication mechanism.

“The client does not connect via a local socket or any other secure means but instead it opens an API on localhost on port 8076. It does not have ANY authentication. This port can be accessed by ANY program running on the computer, including the browser.” reads the post published by ‘Educational-Map-8145’. “A malicious javascript on ANY website can therefore craft a request to that port and disconnect the VPN. If it then runs another request, this leaks the users home IP address to ANY website using the exploit code.”

The exploit code published by the researcher can be uploaded to any webserver, then visiting a site using the linux client for AtlasVPN, it terminates the active Atlas VPN sessions and leaks the IP address.

The PoC uses a hidden frame and sends the API command stop to drop the connection

http://127.0.0.1:8076/connection/stop

and can be sent by any unauthenticated attacker.

The Reddit user claims that Atlas VPN ignored him when he tried to report the issue, but finaly it seems that Atlas VPN recognized the issue and apologized for the problem and the delay in the response.

The company announced that is working to fix the problem.

BleepingComputer reported that cybersecurity engineer Chris Partridge successfully tested the PoC exploit against AtlasVPN Linux client version 1.0.3.

Atlas VPN Linux client users are recommended to avoid using the software until the issue is fixed.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Atlas)