The magic words....
"By luring victims to a malicious link".............
Paris because even she knows malicious links can get you in to a whole lot of trouble.
True - all you have to do is look for the word "malicious"
It's really amazing how many people forget this simple precaution and so needlessly fall victim to malicious links!
I bow to your superior knowledge. How do you know when a link is malicious before you visit it and get the pox?
Is it because you don't visit any links? Is it because you visit only websites that are impossible in the lifetime of the universe to be compromised?
I too am paranoid, but also know how ANY website can harbour mischeif. ANY website can be compromised (even if not the server, then their DNS can be made to point elsewhere). The excuse that something ONLY works if you click a malicious link just means that someone has to place the link where you will click it... and you do click links somewhere.
sorry nurse, I'll take the pills now
Oh the porcinity!
Damn those evil sausages!
Even if the site itself and its DNS have not been compromised, the old "embed my moody exploit in an advert and tout it through the ad servers" ploy should do the trick quite nicely. Especially as he reckons that it can be made to work without anyone having to click anything.
The number of shonky ads circulating is probably the best reason for adblock these days.
hardware firewall?. Router?, gateway?
this is pretty basic and simple, ftp ports aren't blocked by default, being as they are a pretty much essential part of being able to use the internet for downloading materiale from servers/sites etc.
At this point, i begin to question, are we actually mistaking what we can actually do with the 'net, as designed, for something that's hacking, ie altering what is supposed to happen for something that isn't.
I'm pretty much sure, Dan, that you would be highly annoyed if your port 25 didn't work, that being your SMTP port, shared with your ISP, enabling you to get/send your email, now if that was affected in any way, would you describe that as a hack?, an ISP block attempt? or maybe it's a BUG/FLAW?
This would be news, if it was something that happenened naturally, unfortunately, it's an artificially engineered situation, and as such, has no shock or awe value, the novelty of hacking to create fear has been dissipated by it's sheer abundance.
Here was me hoping that 2010 might be different from the last 4/5 years, seems that journalists don't seem to get bored with it, even if readers do.
I stopped using port 25 for SMTP years ago, heck I've not been using plain text e-mail for years too. Okay I know there is always the chance that SSH encrypted mail could be comprimised and the security is only as good as it's weakest link.
I dare say that this problem isn't because the routers run Linux, for starters, Linux is just the kernel. Could maybe be down to the default settings of how the router handles ports (can't remember name of the package, it's too early in the morning and I haven't had my McDonalds breakfast yet!)
Sure it's that simple?
"ftp ports aren't blocked by default, being as they are a pretty much essential part of being able to use the internet for downloading materiale from servers/sites etc."
Ok, then try connecting to any port on my machine and see what happens...
The firewall will allow _outgoing_ connections to the ports but not incoming -- unless, of course, I have an FTP server running and the port forwarded. In that case, without this exploit, you'd still nto be able to connect to to any other port.
Difficult to test
This is a little difficult to test, as I would need to have a second, independent. Internet connection test that a port is, in fact, open from the outside.
not a problem
A quick google for "open ports tester" or similar will find lots of web-based thingies that you can use to test.
Hope that helps, mine's a strong coffee with a large shot of something medicinal, in this weather.
Tested it on a Belkin. Belkins are utter shite so it comes as no surprise that it caved in so easily.
It works on BT Voyager 2110
20:45 (2) "jamie" jamie@catflap% te 184.108.40.206 555
20:45 (3) "jamie" jamie@catflap% te 220.127.116.11 555
telnet: connect to address 18.104.22.168: Connection refused
telnet: Unable to connect to remote host
Though I normally run with "forward all ports to 10.20.30.45" by default anyway, so I'm not bothered.
Could be bad for the windows users though!
20:49 (4) "jamie" jamie@catflap% te 22.214.171.124 22
Won't send login name and/or authentication information.
Connected to 126.96.36.199.
Escape character is '^]'.
Nothing on a BT Voyager 240
nothing new ?
Looks a lot like an attack already described in phrack #63, unless something new escaped me. This works fine against netfilter firewalls when admins are abusing the copy-n-paste from tutorials.
FF to the rescue once again....
NoScript we love you <3
NoScript is only as good as the person using it, and with its use becoming more prevalent, the blackhats will become ever more creative in finding ways of meat-hacking people into selecting that much-desired "Allow shitsite.com" option.
How come nobody ever thought of this MAJOR NAT vulnerability before?? Oh yeah, because, um, NATS ARE NOT FIREWALLS! Let's remember that Teredo and ISATAP is already giving world-addressable IPv6 addresses to our NAT'd machines.
Even though it isn't running on a "computer" it is still software. that is getting foiled.
There ain't no such thing as a hardware firewall, except for one of those things that stops real burning fire from spreading from one area to another.
In network security parlance, a hardware firewall is usually a term used to describe a firewall that is tied to a particular piece of hardware, such as a PIX.
Checkpoint on the other hand can be run on a variety of platforms so can be considered a software firewall, but then people usually use this term to refer to client based firewalls so go figure :)
People sometimes use phrases which are not strictly semantically correct and yet remain common parlance. Ric Romero has more at 11.
It doesn’t work on my D-Link DGL-4300, but its application-level gateway (ALG) doesn’t even support IRC. I tried the suggested alteration for FTP, but couldn’t get it to work. That’s probably not too surprising. As Greg Oestreicher has pointed out, the attacks use some of the same concepts as those in Soungjoo Han’s piece in phrack #63. Han concludes that only a careless firewall would fall for the FTP-echo attack, even if it were packet-aligned.
At least my router makes up in security what it lacks in functionality. Its ALG has caused me more problems than it has solved. The options are all on by default and I needed to turn off both SIP and RTSP, after quite some head scratching. This is why NAT traversal using UPnP is a slightly better fudge.
So simply put
He sent an HTTP-Request which the NAPT interprets as IRC. That should be possible to be patched.
The best solution, obviously, would be to move to IPv6 where you don't have any false security concerning incomming connections.
NAT != firewall
Firewall != security (especially for badly configured values of firewall)
The above is something I have tried to smack into people who should know better many times over the years. Even my government employer takes this stupid approach of assuming a blocking internet traffic on most ports makes it safe. People seem to forget that once something is breached, the outer perimeter doesn't stop anything.
IE8 will protect you
The test page errors in IE8 :)
Tested on my trusty Netgear DG834, no penetration.
It does not work on my router ( Linksys by cisco wag160N ) linksys router are safe! :D
somehow i feel cheated :(
Block your unused ports in BOTH directions
Title says it all really. You should configure your firewall so that it will only allow traffic on ports that you know you need. Especially in Windows-land, many people seem to view a firewall as a one-way system that stops the bad stuff OUTSIDE getting INSIDE. It also works the other way. Most people at home only need ports 80,443, 25, 53 and a couple of others (POP/IMAP?) open. All other ports should be closed off so that if your machine does try and send anything out, it won't actually get very far.
In short, do not assume your internat network can do no wrong. Of course, this isn't a magic bullet but it would go a long way to restricting this kind of stuff, along with stopping the spread of zillions of other virus' and worms.
Tell me do
I have limited my 3Com firewall with NAT to only allow HTTP connections on port 80 and HTTPS on 443.
So how come my kids still manage to use instant messaging apps like those that come with MSN, Facebook, Web Messenger, etc on their windose machines ?
Is all this [IRC/ICMP traffic ?] being run over port 80 at the router ?
File and Printer Sharing is disabled in Services on each machine, as is FTP and TELNET. Can they be truned on sureptitiously by such an exploit ?
Is my router still vulnerable to the exploit ?
Something's not right
Only allowing ANY connections to 80 and 443? If so then you almost certainly would not be able to browse the internet. You need to allow UDP (any sometimes TCP) port 53 also for DNS. As this would not seem to be the case then this suggests you've not locked your router down as much as you think you have.
ICMP is a protocol and not a service, and most ICMP stuff can be blocked without causing problems (you might need to allow 'time' - I think some SMTP servers can have issues if this is blocked, but I may have got this wrong - I don't have the necessary info at hand). Generally, you need to set your TCP, UDP and ICMP firewall rules seperately.
All sounds fine
Most routers work as the DNS server for the network anyway, and nobody said anything about blocking the *router's* access to port 53. Facebook chat and webmessenger are both web apps that run entirely over 80/443. MSN itself can be proxied over port 80, and possibly just sets itself up to do this if necessary.
Can't see any benefit in blocking outgoing ports whatsoever myself - if I was going to write something malicious I'd already have written it to use port 80 so I could run it through corporate firewalls
"Can't see any benefit in blocking outgoing ports whatsoever myself"
You don't see any need to prevent internal network data from leaking out onto the internet? An interesting point of view.
Leaving aside the very obvious security considerations for now, it is this thinking that has resulted in the small but significant amount of noise on the internet at large, consisting of stuff like Windows broadcast requests searching for other machines (which it will never find), and other stray broadcast message. All of these messages should never leak out; they should be contained on the local network. And before you say "it doesn't matter", well, yes it does! It wastes bandwidth and causes load on other internet-based kit that has to deal with this stuff.
And contrary to what you say, many expoits rely on ports other than 80 being open.
"Only allowing ANY connections to 80 and 443? If so then you almost certainly would not be able to browse the internet. You need to allow UDP (any sometimes TCP) port 53 also for DNS."
For most home NAT-based routers, you do NOT need to allow UDP/TCP 53 for DNS to pass through, because they contain their own DNS server, which will make the external requests.
Easy to check: run ipconfig /all or whatever command your OS uses to enumerate DNS servers. If the only DNS server listed is the ip address of your router, then it is running a server, and UDP/TCP 53 does not need to be opened.
Simple message ...
No end of locks on a door will stop people coming in through open windows ( pun wasn't intended ! ).
People need reminding that things are often not as secure as they think they are. I'm often smugly told by certain fanbois that their network is more secure than mine because its firewall is stateful and won't let traffic in which wasn't initiated outbound. When asked how this prevents rogue applications and malware on their system from establishing such an outbound connection the naive answer is this simply will never happen ;-)
I have a software firewall running on my PC which lets me control which applications are making connection or being connected to but I know that doesn't protect me from anything which piggybacks onto something I have to have allow such as browsers to port 80.
The only secure PC I have is the one in a cupboard which isn't powered up.
"People need reminding"
They certainly do.
I was working in the City a few years back and a server chap boasted how he had an uber-secure linux system at home that was uncrackable. So myself and the Security bod decided to take up his little challenge.
We were helped by the fact he decided to leave his laptop unlocked that lunch-time it has to be said.
When he got back from lunch we told him we'd put a little hello file from both of us in his root directory, whereupon he immediately vpn'd to his home device to check. The key-logger we had installed was busy sending us info which my commpratriot was using to perform the deed whilst I chatted to the numpty.
Needless to say he was a bit miffed when he found a little text file in his root directory (he didn't even check the timestamp (which was about 3 seconds before-hand)).
We didn't let him know how we'd done it for three glorious days, and he didn't have much hair to start with. When we finally put him out of his misery he claimed we had cheated !
Ah, heady days :D
How's that cheating?
I'd call it a nice bit of social engineering. Nicely played on Linux gimp ego and vanity to get his info. No point whining about cheating; security's there because people cheat, after all!
Which is precisely why we twat-dangled him for three days :)
Doesn't work on my ancient and obsolete D-Link DI-704P. I Guess reading the instructions and understanding how it works was worth the effort huh?
I'm sure I've shagged her?
Why the 'fox logo?
Are you trying to insinuate that this is in some way a FF/Mozilla bug? Why not an IE logo, or are the MS lawyers too dangerous? At the moment a glance at the headline gives the impression that FF is the source of this vulnerability and that is manifestly not the case; please change it.
Not working on my Draytek Vigor 2600
Belkin 0 - Draytek 1
You gets what you pays for.
The exploit works on my Draytek 2950.
"By luring victims to a malicious link..."
and then later:
"...visit this link..."
Reminds me of downloading MS updates through IE, and the prompt that says "Only install this software if you trust the publisher, Microsoft"... That one always gave me pause...
I rather like this little attack, which would fail on my linux router because I haven't installed the IRC connection tracker, ftp would do though.
What the article failed to mention is that all 3 protocols (IRC, FTP, SIP) use 2 or more connections, where the second connection ports are negotiated in the first connection. NAT lets the first connection go because it's outbound, and very few people drop outbound connections by default.
The feature getting abused here is the one routers use to look at traffic in the original connection to find information about the second connection, so the router can create NAT table entries for it. What this shows is that if you can control one end of the management connection for any of those 3 services, you can probably open arbitrary ports through the NAT to whatever host you've got the connection with on the inside. Opening ports to other hosts would be unlikely with this particular attack, but of course once you've compromised one host within the LAN, the rest are free for the taking.
What this all comes back to is: Host based firewall aren't just for paranoid nutjobs any more! Defense in depth is your friend, don't rely on any one form of protection for anything you consider to be valueable.
But people will never learn that.
Eh, sorry... but I would like to point out that this is not exactly a new thing... See Phack Volume 0x0c, Issue 0x41, Phile #0x05 of 0x0f which was released on April 12th 2008, it was already covered...
How about Double-NATing?
From the description, it sounds like putting a second router behind the first (i.e. drag that old wireless router & n-port switch out of the closet, turn its wireless off, and put it out in front of your present reouter) might block this exploit.