Hacker accessed VNC service behind NAT??
Maniaque
I have a question that is about routers, security, and connectivity
all rolled into one.
Yesterday while I was working on my desktop all of a sudden a session
kicked in on my VNC server - my desktop background image disappeared
and the RealVNC system tray icon turned black to indicate a session in
progress. Within a couple of seconds, something hit my start menu, run
dialog, "cmd", and typed "TFT" in the new command prompt window. At
this point I panicked and shutdown the VNC service ASAP.
This post is not actually about the VNC problem, I found out today
that the version I used had a known security flaw that allowed
bypassing the password prompt. That is clearly what happened there,
and could be easily fixed with upgrading to the newest version.
My question is how the attacker got to my VNC port!
Here's all the background I can muster:
- I am running an ADSL router, "Xavi" brand, "7028r" model, and it
seems to run a "GlobespanVirata" chipset. This was provided to me by
my previous ADSL provider, Telefonica Spain.
- I have a standard NAT lan, with a variety of devices connecting to
the internet through the router.
- I have certain very specific ports forwarded to my desktop for
remote access, peer-to-peer connectivity, etc. \
- I am NOT forwarding either of the VNC ports (standard ports 5900
and 5800), so to my limited knowledge the VNC service should not be
accessible from the internet. I have of course tested this, and found
that to be correct. The VNC service is not publically accessible.
- I do not have the firewall enabled on the router, because I assumed
the NAT basically made it safe. I tried enabling the router firewall
today but it also seems to block the services that I need to be able
to access from the internet (eg HTTP, I run a small webserver), so
that does not work for me.
- I WAS running uTorrent at the time of the attack (and had been for
a few hours)
- I did get the IP address of the attacker from my VNC log, it was
"85.239.126.86", an address in germany. I have not looked for or found
any further information. I guess I could try a port scan but I assume
it's a zombie computer so what's the point.
Now my understanding is that "85.239.126.86" being an internet
address, for the VNC session to work that address would need to be
routable - the only way that that address could be routed on my
network is through the ADLS router / gateway (I think). In theory I
guess there could have been some sort of local tunnel set up, but I
assume that would have required a virtual network adapter to have been
set up on my computer? (I saw nothing like that, and virus and spyware
scans have come up clean).
If it was routed through my router, how could the attacker have
convinced the router to initiate the communication to my internal port
5900 on that particular machine??? The safety of a NAT, as I
understand it, is that remote hosts cannot access an internal address
unless there is explicit port forwarding enabled, or the session is
initiated by a host behind the NAT, is that not correct?
I guess I'm only coming to the real point of my post now - assuming
that I'm on the right track, and that this communication on port 5900
was happily handled by my router, could it have been initiated my
another program on my desktop, specifically the uTorrent client? I've
been logging sessions on my router since this morning, and I see that
client connections are opened by the uTorrent client (very frequently,
thousands per hour) with random local port numbers, that slowly seem
to increase / cycle. It is possible that the uTorrent client made a
client connection using local port number 5900 (which was also being
used by the VNC server), and the computer/remote host that the
uTorrent client was connecting to took advantage of this situation to
test / probe / attack the VNC server on that port?
I guess the questions are:
- it it possible for a client TCP connection to be initiated by a
local "client" program from a port that is already being used by a
"server" program, like VNC server?
- what are the chances, statistically speaking, that this would
happen? Would it be worth a hacker's time to set up servers as
bittorrent participants / seeds in the hopes that some client computer
makes a connection using a special port (eg VNC), which could then
allow the computer's VNC server to be probed / tested for the known
VNC vulnerability? It's the only explanation that I can think of, but
I just can't see how it would be worth a hacker's time!
Final blurb: I set up a syslog server on my desktop and have been
logging all incoming and outgoing sessions from my router (generating
a nasty amount of log data, but I'll put up with it). This way I'll be
able to see how the session gets set up, if I ever become aware of
another similar situation. I will upgrade my VNC server of course, so
the attack would need to use another vector. My concern of course is
that I may NOT be aware of it next time. My desktop is not hardened as
a public server with all ports exposed - I'm very much counting on the
fact that only specific selected ports should be accessible from
outside. In theory, if any port on the desktop can be exposed, then my
windows filesharing setup is just one of the things that would be
vulnerable to brute-force attack. Is there anything else I can do to
investigate this or help prevent future issues? Does anyone have any
experience with the Xavi router or GlobespanVirata chipset that could
help me get it set up to prevent this from happening again? For now I
will probably install a local firewall on the desktop allowing only
the servers I need to work, but that of course makes all sorts of
things more complicated - file and printer sharing, VPN client
software setup, HTTP proxy setup, etc etc. I just wish I could feel
safe in my own network again!
Sorry about the monster first post, I would appreciate any and all
feedback.
Thanks,
Tao
Michael Ziegler
> - I am NOT forwarding either of the VNC ports (standard ports 5900
> and 5800), so to my limited knowledge the VNC service should not be
> accessible from the internet. I have of course tested this, and found
> that to be correct. The VNC service is not publically accessible.
Not by means of connecting directly, that is correct. However, the
attacker could still have misused NAT helper programs on your router
(like a NAT helper for active FTP) to get the router to forward the VNC
ports.
> - I do not have the firewall enabled on the router, because I assumed
> the NAT basically made it safe.
That is plain wrong.
NAT is not intended to be a security technique, but instead to provide
connectivity to multiple devices using a single public IP. Has your PC
been the only device running at this time? Then maybe your router simply
forwarded every packets that arrived to your PC, or the NAT helpers may
have been abused.
NAT does not improve security, that's what you use the firewall/packet
filter for.
> I tried enabling the router firewall
> today but it also seems to block the services that I need to be able
> to access from the internet (eg HTTP, I run a small webserver), so
> that does not work for me.
Then it is misconfigured. You need to enable access to these specific
ports, and then tell the NAT part of your router to forward these ports
to your host PC. That way, the services you want to provide will be
reachable - and nothing else.
Michael
Maniaque
wrote:
> Maniaque wrote:
> > - I am NOT forwarding either of the VNC ports (standard ports 5900
> > and 5800), so to my limited knowledge the VNC service should not be
> > accessible from the internet. I have of course tested this, and found
> > that to be correct. The VNC service is not publically accessible.
>
> Not by means of connecting directly, that is correct. However, the
> attacker could still have misused NAT helper programs on your router
> (like a NAT helper for active FTP) to get the router to forward the VNC
> ports.
>
Ok, that rings a bell. So something like:
- I request a web page or some other arbitrary TCP connection on some
hostile server, maybe as part of a BitTorrent download
- The hostile server responds with something that looks like an FTP
response saying "Open port 5900 so that I can send you the FTP data"
- the router happily opens the requested port to that machine, and
all hell breaks loose
If this is correct, is there any way to see what "NAT Helpers" a NAT
router may have? Are there standard security scans for this? I ask
because I plan to put another home router/firewall device (WRT54G)
between me and the existing router (with the firewall functions
enableed this time!), but I'd like to be able to check after I'm done
that this sort of thing is no longer possible.
> > - I do not have the firewall enabled on the router, because I assumed
> > the NAT basically made it safe.
>
> That is plain wrong.
> NAT is not intended to be a security technique, but instead to provide
> connectivity to multiple devices using a single public IP. Has your PC
> been the only device running at this time? Then maybe your router simply
> forwarded every packets that arrived to your PC, or the NAT helpers may
> have been abused.
> NAT does not improve security, that's what you use the firewall/packet
> filter for.
>
No, I have several devices, no "default server" set up on the NAT, and
only specific intended services forwarded to one server. But I am
planning on adding the other router, like I said, so that I can enable
the firewall function without losing the forwarding ability.
> > I tried enabling the router firewall
> > today but it also seems to block the services that I need to be able
> > to access from the internet (eg HTTP, I run a small webserver), so
> > that does not work for me.
>
> Then it is misconfigured. You need to enable access to these specific
> ports, and then tell the NAT part of your router to forward these ports
> to your host PC. That way, the services you want to provide will be
> reachable - and nothing else.
>
Yep, I can do that with the WRT54G device in-between, and I guess
tha's what I'll do.
Thanks very much!
Tao
Michael Ziegler
> - I request a web page or some other arbitrary TCP connection on some
> hostile server, maybe as part of a BitTorrent download
> - The hostile server responds with something that looks like an FTP
> response saying "Open port 5900 so that I can send you the FTP data"
> - the router happily opens the requested port to that machine, and
> all hell breaks loose
In fact, I'm not sure exactly how this works, as I'm currently learning
about this stuff myself. According to my understanding, somehow the
router is led to believe that the attacker is trying to do active FTP,
and opening an FTP data channel.
> If this is correct, is there any way to see what "NAT Helpers" a NAT
> router may have?
That would very much depend on your router. I'm not familiar with it, so
I don't know :(
> Are there standard security scans for this? I ask
> because I plan to put another home router/firewall device (WRT54G)
> between me and the existing router (with the firewall functions
> enableed this time!), but I'd like to be able to check after I'm done
> that this sort of thing is no longer possible.
The only one I know of is here:
<http://bedatec.dyndns.org/ftpnat/test.html>
> But I am
> planning on adding the other router, like I said, so that I can enable
> the firewall function without losing the forwarding ability.
It is in fact very strange that the firewall blocks forwarded ports and
you're not able to switch that off any other way than disabling the
firewall alltogether, because then the manufacturer wouldn't have cared
at all about security - are you sure you haven't missed anything?
Michael
Maniaque
wrote:
> > Are there standard security scans for this? I ask
> > because I plan to put another home router/firewall device (WRT54G)
> > between me and the existing router (with the firewall functions
> > enableed this time!), but I'd like to be able to check after I'm done
> > that this sort of thing is no longer possible.
>
> The only one I know of is here:
> <http://bedatec.dyndns.org/ftpnat/test.html>
>
OK, now I'm REALLY interested:
--
Checking FTP-NAT for Router
Int.IP to check is 192.168.2.11,mine is 192.168.2.11
Port: 22 Result: 300 Port closed.
Port: 80 Result: 200 Port open. [Tao note: Intentional]
Port: 111 Result: 300 Port closed.
Port: 135 Result: 300 Port filtered.
Port: 137 Result: 300 Port filtered.
Port: 139 Result: 300 Port filtered.
Port: 445 Result: 300 Port filtered.
Port: 1900 Result: 300 Port closed.
Port: 3000 Result: 300 Port closed.
Port: 3389 Result: 300 Port closed.
Port: 5000 Result: IO error in Socket()
Port: 5800 Result: 200 Port open.
Port: 5801 Result: 300 Port closed.
Port: 5802 Result: 300 Port closed.
Port: 5900 Result: 200 Port open.
Port: 5901 Result: 300 Port closed.
Port: 5902 Result: 300 Port closed.
Port: 6000 Result: 300 Port closed.
Port: 47115 Result: 300 Port closed.
5800 and 5900 and NOT supposed to be open. they are the VNC ports.
This is exactly the flaw that I was looking for. I have entered my
router name so that they can add it to their list of "known
problematic" implementations.
Still, this test relies on the "Apparent FTP connection" that they
initiate in the applet - I guess I still need to have something nasty
on my machine that initiated a communication that looked like an FTP
session... Either that or they were able to pull the trick off with
the BitTorrent client like I proposed above? I feel I'm getting
closer, but still not all there.
Thanks so much for the link!
Tao
Maniaque
> Still, this test relies on the "Apparent FTP connection" that they
> initiate in the applet - I guess I still need to have something nasty
> on my machine that initiated a communication that looked like an FTP
> session... Either that or they were able to pull the trick off with
> the BitTorrent client like I proposed above? I feel I'm getting
> closer, but still not all there.
>
Duh. This trick can obviously be pulled off by absolutely any page
that contains a Java applet!!!
That day I was in fact browsing on a couple of pretty shady sites (I'm
not sure how long I might have had one of these sites open, but I must
have had one open in the background when or not long before the attack
was initiated), and there we have it.
Wow that feels good. I now have a bunch of suggestions (from cross
posts linked below) for making my setup safe overall, AND I know
exactly what happened this time around and can work to prevent it.
Thanks again Michael, you've really made my day.
Tao
Maniaque
threads with the outcome:
http://groups.google.com/group/comp.security.firewalls/browse_thread/thread/fad0dfb68b85fccc
http://groups.google.com/group/alt.computer.security/browse_thread/thread/9e3101dbc319cc28
Tao
Michael Ziegler
> --
> Checking FTP-NAT for Router
> Int.IP to check is 192.168.2.11,mine is 192.168.2.11
> Port: 22 Result: 300 Port closed.
> Port: 80 Result: 200 Port open. [Tao note: Intentional]
> Port: 111 Result: 300 Port closed.
> Port: 135 Result: 300 Port filtered.
> Port: 137 Result: 300 Port filtered.
> Port: 139 Result: 300 Port filtered.
> Port: 445 Result: 300 Port filtered.
> Port: 1900 Result: 300 Port closed.
> Port: 3000 Result: 300 Port closed.
> Port: 3389 Result: 300 Port closed.
> Port: 5000 Result: IO error in Socket()
> Port: 5800 Result: 200 Port open.
> Port: 5801 Result: 300 Port closed.
> Port: 5802 Result: 300 Port closed.
> Port: 5900 Result: 200 Port open.
> Port: 5901 Result: 300 Port closed.
> Port: 5902 Result: 300 Port closed.
> Port: 6000 Result: 300 Port closed.
> Port: 47115 Result: 300 Port closed.
When I run the test on my setup (Linux client, accessing the internet
via a NAT on a linux machine), this is the result:
| Checking FTP-NAT for Router ubuntu
| Int.IP to check is 10.5.0.197,mine is 10.5.0.197
| Port: 22 Result: 400 PORT Error (500 Go away (PORT IP mismatch).)
| Port: 80 Result: 400 PORT Error (500 Go away (PORT IP mismatch).)
| Port: 111 Result: 400 PORT Error (500 Go away (PORT IP mismatch).)
| Port: 135 Result: 400 PORT Error (500 Go away (PORT IP mismatch).)
| Port: 137 Result: 400 PORT Error (500 Go away (PORT IP mismatch).)
| Port: 139 Result: 400 PORT Error (500 Go away (PORT IP mismatch).)
| Port: 445 Result: 400 PORT Error (500 Go away (PORT IP mismatch).)
| Port: 1900 Result: 400 PORT Error (500 Go away (PORT IP mismatch).)
| Port: 3000 Result: 400 PORT Error (500 Go away (PORT IP mismatch).)
| Port: 3389 Result: 400 PORT Error (500 Go away (PORT IP mismatch).)
| Port: 5000 Result: 400 PORT Error (500 Go away (PORT IP mismatch).)
| Port: 5800 Result: 400 PORT Error (500 Go away (PORT IP mismatch).)
| Port: 5801 Result: 400 PORT Error (500 Go away (PORT IP mismatch).)
| Port: 5802 Result: 400 PORT Error (500 Go away (PORT IP mismatch).)
| Port: 5900 Result: 400 PORT Error (500 Go away (PORT IP mismatch).)
| Port: 5901 Result: 400 PORT Error (500 Go away (PORT IP mismatch).)
| Port: 5902 Result: 400 PORT Error (500 Go away (PORT IP mismatch).)
| Port: 6000 Result: 400 PORT Error (500 Go away (PORT IP mismatch).)
| Port: 47115 Result: 400 PORT Error (500 Go away (PORT IP mismatch).)
Just in case you're interested :)
Michael
Maniaque
wrote:
> When I run the test on my setup (Linux client, accessing the internet
> via a NAT on a linux machine), this is the result:
>
> | Checking FTP-NAT for Router ubuntu
> | Int.IP to check is 10.5.0.197,mine is 10.5.0.197
> | Port: 22 Result: 400 PORT Error (500 Go away (PORT IP mismatch).)
> | Port: 80 Result: 400 PORT Error (500 Go away (PORT IP mismatch).)
> | Port: 111 Result: 400 PORT Error (500 Go away (PORT IP mismatch).)
> | Port: 135 Result: 400 PORT Error (500 Go away (PORT IP mismatch).)
> | Port: 137 Result: 400 PORT Error (500 Go away (PORT IP mismatch).)
> | Port: 139 Result: 400 PORT Error (500 Go away (PORT IP mismatch).)
> | Port: 445 Result: 400 PORT Error (500 Go away (PORT IP mismatch).)
> | Port: 1900 Result: 400 PORT Error (500 Go away (PORT IP mismatch).)
> | Port: 3000 Result: 400 PORT Error (500 Go away (PORT IP mismatch).)
> | Port: 3389 Result: 400 PORT Error (500 Go away (PORT IP mismatch).)
> | Port: 5000 Result: 400 PORT Error (500 Go away (PORT IP mismatch).)
> | Port: 5800 Result: 400 PORT Error (500 Go away (PORT IP mismatch).)
> | Port: 5801 Result: 400 PORT Error (500 Go away (PORT IP mismatch).)
> | Port: 5802 Result: 400 PORT Error (500 Go away (PORT IP mismatch).)
> | Port: 5900 Result: 400 PORT Error (500 Go away (PORT IP mismatch).)
> | Port: 5901 Result: 400 PORT Error (500 Go away (PORT IP mismatch).)
> | Port: 5902 Result: 400 PORT Error (500 Go away (PORT IP mismatch).)
> | Port: 6000 Result: 400 PORT Error (500 Go away (PORT IP mismatch).)
> | Port: 47115 Result: 400 PORT Error (500 Go away (PORT IP mismatch).)
>
> Just in case you're interested :)
>
> Michael- Hide quoted text -
>
> - Show quoted text -
HI,
I found a pretty excellent firmware for my linksys WRT54G router,
called Tomato 1.10, but just like all the other WRT54G firmwares out
there it had the FTP NAT Helper turned on by default (compiled into
the kernel). After I explained the problem to the author, he kindly
made the FTP NAT Helper optional in the next version! As of version
1.11 I now get the same response as you:
Checking FTP-NAT for Router
Int.IP to check is 192.168.2.11,mine is 192.168.2.11
Port: 22 Result: 400 PORT Error (500 Go away (PORT IP mismatch).)
Port: 80 Result: 400 PORT Error (500 Go away (PORT IP mismatch).)
Port: 111 Result: 400 PORT Error (500 Go away (PORT IP mismatch).)
...etc...
Thanks,
Tao