Remotely exploitable leak

Disclosed by
Adam-X
  • Engagement ExpressVPN
  • Disclosed date 6 months ago
  • Reward $2,500
  • Priority P1 Bugcrowd's VRT priority rating
  • Status Resolved This vulnerability has been accepted and fixed
Summary by ExpressVPN

We'd like to thank Adam-X for reporting this us and handling the process in a responsible manner, and have added our thoughts on the reported submission here: https://www.expressvpn.com/blog/expressvpn-rdp-leak-fixed/

Summary by Adam-X

A port-based VPN tunnel bypass, specifically an IP leak, caused by the user visiting a malicious site or making use of RDP. The leak can be triggered by an attacker randomly targeting ExpressVPN users through a compromised website, in a more targeted manner by performing social engineering to get users to visit an attacker controlled site, or when the user makes an RDP connection. No JavaScript is required, and in the random targeting case, no user interaction is required.

Report details

  • Submitted

  • Target Location

    ExpressVPN Windows Application

  • Target category

    Other

  • VRT

    Sensitive Data Exposure

  • Priority

    P1
  • Bug URL
    Empty
  • Description

    In both Lightway UDP-based protocols, Turbo & standard Lightway, RDP traffic leaks through the official ExpressVPN client even when the kill switch (Network Lock) is enabled. Lightway TCP & OpenVPN TCP/UDP protocols don't appear to be affected, however, they're not the default setting. In particular packets that are sent to internet hosts on remote TCP port 3389 are of most concern. To reproduce simply open a browser alongside a packet sniffer and, for example, visit → http://1.1.1.1:3389 The TCP connection's packets will subsequently leak outside of the tunnel and expose the VPN user's origin IP address (verified over IPv4, IPv6 may also be vulnerable). You can also run the 'mstsc' command in Windows and attempt to connect to any internet host's address in the Terminal Services client but testing inside the browser's address bar is the quickest method to confirm this issue.

    Software version affected is the latest build of the ExpressVPN app v12.100.0.2 on Windows. My OS platform is Windows 10 Pro x64 v22H2 build 19045.5247. At this time I'm not sure if previous versions of ExpressVPN are also affected or if it occurs on any of the other supported platforms since I haven't tested them yet. It needs to be noted that I've also observed RDP traffic leakage inside my BitTorrent client when it selected TCP 3389 as the source port for communication with a remote peer in the swarm. In this case a full TCP connection was established, data was exchanged, and the connection was gracefully closed. I couldn't reproduce the leakage there as it may be conditional but making TCP connection attempts to a remote host on port 3389 was immediately reproducible. A brief Wireshark packet capture has been attached (the remote endpoint didn't have TCP 3389/Remote Desktop open).

Activity