|
Posted by Maniaque on October 10, 2007, 6:41 am
If you were Registered and logged in, you could reply and use other advanced thread options
[this is a repost, I also sent to alt.computer.security]
Sorry I'm new here, not sure this is the right newsgroup to post to -
I have a question that is about routers, security, and connectivity
all rolled into one.
Yesterday while I was working on my desktop all of a sudden a session
kicked in on my VNC server - my desktop background image disappeared
and the RealVNC system tray icon turned black to indicate a session in
progress. Within a couple of seconds, something hit my start menu, run
dialog, "cmd", and typed "TFT" in the new command prompt window. At
this point I panicked and shutdown the VNC service ASAP.
This post is not actually about the VNC problem, I found out today
that the version I used had a known security flaw that allowed
bypassing the password prompt. That is clearly what happened there,
and could be easily fixed with upgrading to the newest version.
My question is how the attacker got to my VNC port!
Here's all the background I can muster:
- I am running an ADSL router, "Xavi" brand, "7028r" model, and it
seems to run a "GlobespanVirata" chipset. This was provided to me by
my previous ADSL provider, Telefonica Spain.
- I have a standard NAT lan, with a variety of devices connecting to
the internet through the router.
- I have certain very specific ports forwarded to my desktop for
remote access, peer-to-peer connectivity, etc. \
- I am NOT forwarding either of the VNC ports (standard ports 5900
and 5800), so to my limited knowledge the VNC service should not be
accessible from the internet. I have of course tested this, and found
that to be correct. The VNC service is not publically accessible.
- I do not have the firewall enabled on the router, because I assumed
the NAT basically made it safe. I tried enabling the router firewall
today but it also seems to block the services that I need to be able
to access from the internet (eg HTTP, I run a small webserver), so
that does not work for me.
- I WAS running uTorrent at the time of the attack (and had been for
a few hours)
- I did get the IP address of the attacker from my VNC log, it was
"85.239.126.86", an address in germany. I have not looked for or found
any further information. I guess I could try a port scan but I assume
it's a zombie computer so what's the point.
Now my understanding is that "85.239.126.86" being an internet
address, for the VNC session to work that address would need to be
routable - the only way that that address could be routed on my
network is through the ADLS router / gateway (I think). In theory I
guess there could have been some sort of local tunnel set up, but I
assume that would have required a virtual network adapter to have been
set up on my computer? (I saw nothing like that, and virus and spyware
scans have come up clean).
If it was routed through my router, how could the attacker have
convinced the router to initiate the communication to my internal port
5900 on that particular machine??? The safety of a NAT, as I
understand it, is that remote hosts cannot access an internal address
unless there is explicit port forwarding enabled, or the session is
initiated by a host behind the NAT, is that not correct?
I guess I'm only coming to the real point of my post now - assuming
that I'm on the right track, and that this communication on port 5900
was happily handled by my router, could it have been initiated my
another program on my desktop, specifically the uTorrent client? I've
been logging sessions on my router since this morning, and I see that
client connections are opened by the uTorrent client (very frequently,
thousands per hour) with random local port numbers, that slowly seem
to increase / cycle. It is possible that the uTorrent client made a
client connection using local port number 5900 (which was also being
used by the VNC server), and the computer/remote host that the
uTorrent client was connecting to took advantage of this situation to
test / probe / attack the VNC server on that port?
I guess the questions are:
- it it possible for a client TCP connection to be initiated by a
local "client" program from a port that is already being used by a
"server" program, like VNC server?
- what are the chances, statistically speaking, that this would
happen? Would it be worth a hacker's time to set up servers as
bittorrent participants / seeds in the hopes that some client computer
makes a connection using a special port (eg VNC), which could then
allow the computer's VNC server to be probed / tested for the known
VNC vulnerability? It's the only explanation that I can think of, but
I just can't see how it would be worth a hacker's time!
Final blurb: I set up a syslog server on my desktop and have been
logging all incoming and outgoing sessions from my router (generating
a nasty amount of log data, but I'll put up with it). This way I'll be
able to see how the session gets set up, if I ever become aware of
another similar situation. I will upgrade my VNC server of course, so
the attack would need to use another vector. My concern of course is
that I may NOT be aware of it next time. My desktop is not hardened as
a public server with all ports exposed - I'm very much counting on the
fact that only specific selected ports should be accessible from
outside. In theory, if any port on the desktop can be exposed, then my
windows filesharing setup is just one of the things that would be
vulnerable to brute-force attack. Is there anything else I can do to
investigate this or help prevent future issues? Does anyone have any
experience with the Xavi router or GlobespanVirata chipset that could
help me get it set up to prevent this from happening again? For now I
will probably install a local firewall on the desktop allowing only
the servers I need to work, but that of course makes all sorts of
things more complicated - file and printer sharing, VPN client
software setup, HTTP proxy setup, etc etc. I just wish I could feel
safe in my own network again!
Sorry about the monster first post, I would appreciate any and all
feedback.
Thanks,
Tao
|
|
Posted by Sebastian G. on October 10, 2007, 12:35 pm
If you were Registered and logged in, you could reply and use other advanced thread options
Maniaque wrote:
> - I do not have the firewall enabled on the router, because I assumed
> the NAT basically made it safe.
NAT doesn't make it safe.
> If it was routed through my router, how could the attacker have
> convinced the router to initiate the communication to my internal port
> 5900 on that particular machine???
Simply ask for it? Wait until it comes up?
> The safety of a NAT, as I
> understand it, is that remote hosts cannot access an internal address
> unless there is explicit port forwarding enabled, or the session is
> initiated by a host behind the NAT, is that not correct?
What about implicit forwarding, for example by protocol helper implementations?
> It is possible that the uTorrent client made a
> client connection using local port number 5900 (which was also being
> used by the VNC server), and the computer/remote host that the
> uTorrent client was connecting to took advantage of this situation to
> test / probe / attack the VNC server on that port?
No.
> I guess the questions are:
> - it it possible for a client TCP connection to be initiated by a
> local "client" program from a port that is already being used by a
> "server" program, like VNC server?
No, but using a protocol helper you can do this for a different port.
> - what are the chances, statistically speaking, that this would
> happen? Would it be worth a hacker's time to set up servers as
> bittorrent participants / seeds in the hopes that some client computer
> makes a connection using a special port (eg VNC), which could then
> allow the computer's VNC server to be probed / tested for the known
> VNC vulnerability? It's the only explanation that I can think of, but
> I just can't see how it would be worth a hacker's time!
Assuming that the timeout for the NAT table entries is five minutes, it
could be a completely different source.
> I'm very much counting on the
> fact that only specific selected ports should be accessible from
> outside.
Then implement this concept.
> In theory, if any port on the desktop can be exposed, then my
> windows filesharing setup is just one of the things that would be
> vulnerable to brute-force attack.
Or DoS attacks.
> Is there anything else I can do to
> investigate this or help prevent future issues? Does anyone have any
> experience with the Xavi router or GlobespanVirata chipset that could
> help me get it set up to prevent this from happening again?
Maybe, but unless you know the implementation....
|
|
Posted by Maniaque on October 11, 2007, 3:47 am
If you were Registered and logged in, you could reply and use other advanced thread options
made to wear the donkey hat and stand in the corner of the
classroom... :)
> Simply ask for it?
What do you mean by "Ask for it"? If I do that (from outside the
network), I get no response, because there is no "Default host" set up
behind my NAT, and no port forwarding for that port - if an explicit
port forwarding has not been set up, how can a remote host "Ask for"
that server? Is this something that is allowed by the average NAT but
requires extra network programming skills?
> Wait until it comes up?
But why would it ever come up? Why would that port ever be opened to
the outside from that machine? The port is bound to the VNC server (so
no other program on the desktop should be able to do anything with it,
as I understand?), and not forwarded on the router, so there should be
no reason for a NAT session entry pointing that port to the outside
ever to be opened, right? (I certainly don't open VNC connections to
the internet, despite my limited knowledge I am very aware that basic
VNC communication is totally unprotected, both authentication and
data)
>
> > The safety of a NAT, as I
> > understand it, is that remote hosts cannot access an internal address
> > unless there is explicit port forwarding enabled, or the session is
> > initiated by a host behind the NAT, is that not correct?
>
> What about implicit forwarding, for example by protocol helper implementations?
>
Sounds interesting, what is this? Is this the sort of thing that can
sometimes make regular "Active" FTP work from behind a NAT, where the
firewall automatically sees the FTP control port communication and
opens up/forwards the data port as required? If so, how could the
router be convinced to do this for an arbitrary port? Is there some
sort of standard for triggering this behaviour?
I have just tested Active FTP from behind my NAT and it did not work
(to an FTP server where passive FTP is working without issues) - does
that say anything about this possibility?
>
> > I guess the questions are:
> > - it it possible for a client TCP connection to be initiated by a
> > local "client" program from a port that is already being used by a
> > "server" program, like VNC server?
>
> No, but using a protocol helper you can do this for a different port.
I've searched online for any information about "protocol helper", it
seems to be synonymous with "IP helper" - I see a windows API, but
that looks like it would reuire the attacker to be running arbitrary C/
C++ code on the desktop (or other device on the network?). Do you know
where I could find any information about what this is, how it works
etc?
>
> Assuming that the timeout for the NAT table entries is five minutes, it
> could be a completely different source.
>
OK, I'm going to show my complete lack of understanding about how NAT
works here (if I haven't already :)), but it's the NAT device keeping
track of the ip addresses (and some additional "magic" session
information?) at both ends of the communication? What happens if two
client machines try to open a connection from the same client-side
port at the same time, does the NAT simply refuse one of them? I was
under the impression that there could be multiple machines
communicating to/from the same port from behind a NAT without
problems. For that to be true, the NAT device would need to be looking
at each incoming packet and sending it to the correct internal host
based on some filtering logic, right (rather than a simple temporary
port-to-host mapping table)? Are you saying that some arbitrary third-
party IP address can send in a packet and have it be routed to a
specific host behind the NAT, as long as the attacker has seen one of
the packets of the communication between the legitimate remote host
and the local host behind the NAT?
If I understand what you are saying correctly, and a remote attacker
can actually direct arbitrary packets into any Existing NAT session by
spying on a legitimate packet destined to/from the NAT-ed host, that
still doesn't explain how the port session could be opened on the NAT
device in the first place - is this where you are saying that the
"Protocol Helper" comes in?
> > I'm very much counting on the
> > fact that only specific selected ports should be accessible from
> > outside.
>
> Then implement this concept.
>
So... given that my ADSL connection uses PPPoA (which is non-
bridgeable I believe, as opposed to PPPoE), I would need to set up a
second router/firewall/NAT device like a linksys wrt54G to sit behind
the telecoms-operator-provided Xavi router, forward the appropriate
ports through both devices, and make sure that the firewall is turned
on on the wrt54g? I can only assume that what was "missing" in my
original setup was a firewall (which my adsl router claims to have,
but when I turn it on all the port forwarding stops working, which
sort of defeats the purpose). Or do you have any other suggestions on
how this can be done using home equipment?
> > In theory, if any port on the desktop can be exposed, then my
> > windows filesharing setup is just one of the things that would be
> > vulnerable to brute-force attack.
>
> Or DoS attacks.
Meh, I'm not so concerned. Why would anyone bother? I'm a home user,
I'm running a silly little website with 10 pageviews/month, my only
concern is that someone gets into my machine / network and installs
malicious code, spies on me, enlists my computer into a botnet of some
sort, turns me into an infection vector for some or other virus /
worm / trojan, etc. That would suck. It is incredibly unpleasant to
have your desktop suddenly taken over via VNC, too, although I don't
think that can happen again in quite the same way, I did upgrade away
from the defective RealVNC version.
>
> > Is there anything else I can do to
> > investigate this or help prevent future issues? Does anyone have any
> > experience with the Xavi router or GlobespanVirata chipset that could
> > help me get it set up to prevent this from happening again?
>
> Maybe, but unless you know the implementation....
Not sure what you meant here - I know exactly how I have everything
set up, but I don't know much about the workings / functionality of
the router itself. There are no configuration manuals online or
anything. In fact, I was able to get it to forward logging info to a
syslog server on my desktop by browsing through and editing the
"configuration backup" file, but afterwards remembered what I'd read a
few months ago on some forum - you have to turn logging off on this
router, because otherwise it hangs when it runs out of log space. No
cycling, no "forward to syslog server but do not store locally", it
simply hangs.
So it looks like at an absolute minimum I'm going to need to set up
the second-level linksys wrt54g firewall/router, but I guess I'd like
your criticism if you have any thoughts on the sensibleness of this
idea, and whether it helps to "implement this concept" as you
suggested above :)
Thanks so much for the feedback!
Tao
|
|
Posted by Leythos on October 11, 2007, 6:31 am
If you were Registered and logged in, you could reply and use other advanced thread options
> I would need to set up a
> second router/firewall/NAT device like a linksys wrt54G to sit behind
> the telecoms-operator-provided Xavi router, forward the appropriate
> ports through both devices, and make sure that the firewall is turned
> on on the wrt54g? I can only assume that what was "missing" in my
> original setup was a firewall (which my adsl router claims to have,
> but when I turn it on all the port forwarding stops working, which
> sort of defeats the purpose). Or do you have any other suggestions on
> how this can be done using home equipment?
A NAT is not a firewall at all, it's basic routing - Most non-technical
types call NAT Routers firewalls, they are not.
a WRT54g is not a firewall, it's a nat router. NAT blocks "unsolicited"
inbound traffic, that's all.
No, port forwarding is what your problem is - if you forward ports then
you expose your computer/network and that's how people reach your
computer to do things you don't want.
You should learn to post in one group or to cross post so that your
thread is easy to work with for multiple groups that you've done this
in.
--
Leythos
- Igitur qui desiderat pacem, praeparet bellum.
- Calling an illegal alien an "undocumented worker" is like calling a
drug dealer an "unlicensed pharmacist"
spam999free@rrohio.com (remove 999 for proper email address)
|
|
Posted by Maniaque on October 11, 2007, 12:31 pm
If you were Registered and logged in, you could reply and use other advanced thread options > maniaqu...@gmail.com says...
>
>
> A NAT is not a firewall at all, it's basic routing - Most non-technical
> types call NAT Routers firewalls, they are not.
That I understand, but I'm always a little confused about what the
difference Exactly is... a firewall is a device that only allows
connections that you want to allow - a NAT is a device that allows
outgoing connections arbitrarily, but normally (or only sometimes? see
the STUN information Chris mentioned) prevents arbitrary incoming
connections. Most home routers additionally claim to have a "firewall"
function that you can turn on / off (including the WRT54G) - when do
you decide what is and what is not a ffirewall? I really would like to
know, it's something that's puzled me for years. Some things are
clearly not a firewall at all, like a "Full-cone" NAT router. Some
things are clearly a firewall first, and anything else after, like one
of those Cisco devices. But aren't most home routers somewhere in-
between?
>
> a WRT54g is not a firewall, it's a nat router. NAT blocks "unsolicited"
> inbound traffic, that's all.
not true. the WRT54G can block outgoing connections based on any
number of specified parameters, and then it has all those extra fancy
features that I don't understand ;)
Firewall Protection: Enable Disable
Additional Filters
Filter Proxy Filter Cookies
Filter Java Applets Filter ActiveX
Block Portscans Filter P2P Applications
Block WAN Requests
Block Anonymous Internet Requests
Filter Multicast
Filter Internet NAT Redirection
Filter IDENT(Port 113)
>
> No, port forwarding is what your problem is - if you forward ports then
> you expose your computer/network and that's how people reach your
> computer to do things you don't want.
>
Only if they get past the intended security of the service in
question, right?
> You should learn to post in one group or to cross post so that your
> thread is easy to work with for multiple groups that you've done this
> in.
>
Yep, thanks.
Tao
|
|
XML site map