Bugtraq mailing list archives
Visualroute Server - reverse tracerouting
From: "morning_wood" <se_cur_ity () hotmail com>
Date: Thu, 2 Oct 2003 16:38:06 +0530
Vendor Response follows... ------------------------------------------------------------------ - EXPL-A-2003-025 exploitlabs.com Advisory 025 ------------------------------------------------------------------ -= Visualroute Server =- Donnie Werner Oct 1, 2003 Vunerability(s): ---------------- 1. reverse tracerouting fingerprinting / discovery vunerability allowing intranet ( LAN ) mapping by way of Visualroute servers being accessed from the internet ( WAN ) Product: -------- http://www.visualware.com/personal/demo/index.html Reviews: -------- http://www.visualware.com/company/pressroom/coverage.html Description of product: ----------------------- VisualRoute Server adds Web server functionality so that multiple users can easily access the server via a Web browser, regardless of their location. Traces originate from the VisualRoute Server system and may be run back to the end-user location or to any other IP address or Web server. VUNERABILITY / EXPLOIT ====================== the core issue here is that by specififying an internal ip such as 192.168.0.*, 10.*.*.*, or 172.18.18.* or any other reserved ( private ) address you are able to map the internal lan structure via an external ( WAN ) address from the internet. standard trace route example: ------------------------------ standard traceroute server request requesting a trace to from exploitlabs.com to a Visualroute Server we may see.. output.. 12.230.0.205 ( exploitlabs.com ) 12.244.x.5 - isp router 24.x.200.x - target isp router 24.x.240.2 - target destination reached in bla seconds - complete packet loss 0% now on a Visualroute Server the originating trace begins at the target server, traces through routers to dest. so for example asking a server running Visualroute Server the same request we get 24.x.240.2 - target ip 24.x.200.x - target isp router 12.244.x.5 - isp router 12.230.0.205 ( exploitlabs.com ) let us now assume the same target/Visualroute Server is behind a router/switch with port forwarding to the Visualroute Server daemon 192.168.0.2 - target originating system 192.168.0.1 - target router / switch 24.x.200.x - target ip 24.x.240.2 - target isp router 12.244.x.5 - isp router 12.230.0.205 ( exploitlabs.com ) now we can discover the lan topology the traceroure was initiated from, as the origin of the trace is internal to the originating Visualroute Server Local: ------ possibly Remote: ------- yes Vendor Fix: ----------- No fix on 0day Vendor Contact: --------------- Concurrent with this advisory sales () visualware com see below in this post Credits: -------- Donnie Werner CTO E2 Labs morning_wood () e2-labs com http://www.e2-labs.com http://nothackers.org - home of the 0day Security List VENDOR RESPONSE ------------------------
----- Original Message ----- From: "Julie Lancaster" <julie.lancaster () visualware com> To: "'morning_wood'" <se_cur_ity () hotmail com> Sent: Wednesday, October 01, 2003 8:42 PM Subject: RE: Visualroute Server - reverse tracerouting Hello, VisualRoute Server has a security option to prevent traces to secure IP addresses: Preventing traces to Secure IP Addresses: To prevent a VisualRoute trace to a particular IP address (or range of IP addresses), edit the .\data\user\secure.txt text file (a file you must create). Each line in this file is "cidr-address,x". For example, here is an example secure.txt file that secures two IP ranges: 198.242.57/24,x 201.109/16,x If there is an attempt to trace directly to any secure IP in this list, it will be treated like a DNS error (does not exist). If the IP address shows up in a trace, it will be replaced by the 'x' in the line definition. Regards, Julie Lancaster Visualware Inc. - Internet Security and Performance Tools www.visualware.com
-----Original Message----- From: morning_wood [mailto:se_cur_ity () hotmail com] Sent: Wednesday, October 01, 2003 12:47 PM To: julie.lancaster () visualware com Subject: Re: Visualroute Server - reverse tracerouting Julie, thank you very much for the info and the timely response, did i miss it in the readme ? Donnie Werner CTO e2 labs http://e2-labs.com/about.htm ----- Original Message ----- From: "Julie Lancaster" <julie.lancaster () visualware com> To: "'morning_wood'" <se_cur_ity () hotmail com> Sent: Wednesday, October 01, 2003 10:25 PM Subject: RE: Visualroute Server - reverse tracerouting Hello, The information is in the on-line manual, not the readme. You may find it right above the Host/Port section at this link, http://www.visualware.com/manuals/visualroute/manual.html#hostport. We provide the security option, but it is the responsibility of the administrator to set the security for their requirements. Regards, Julie Lancaster Visualware Inc. - Internet Security and Performance Tools www.visualware.com
----- Original Message ----- From: "morning_wood" <se_cur_ity () hotmail com> To: <julie.lancaster () visualware com> Sent: Wednesday, October 01, 2003 11:02 PM Subject: Re: Visualroute Server - reverse tracerouting
my apology, but this... -------------- snip ---------------- Preventing traces to Secure IP Addresses: To prevent a VisualRoute trace
to
a particular IP address (or range of IP addresses), edit the .\data\user\secure.txt text file (a file you must create). Each line in
this
file is "cidr-address,x". For example, here is an example secure.txt file that secures two IP ranges ------------- snip ------------------ should possibly suggest LAN ip address ranges as the info provided is quite cluless as to even a seasoned admin i can bet in 99% of users they are just as cluless as the description itself is. i point out that even your list of servers at http://www.visualware.com/personal/demo/index.html *most* are vunerable to this exact attack. Donnie Werner CTO e2-labs.com
Current thread:
- Visualroute Server - reverse tracerouting morning_wood (Oct 02)