<<< Date Index >>>     <<< Thread Index >>>

Visualroute Server - reverse tracerouting



Vendor Response follows...
 ------------------------------------------------------------------
           - EXPL-A-2003-025 exploitlabs.com Advisory 025
 ------------------------------------------------------------------
                     -= Visualroute Server =-


 Donnie Werner
 Oct 1, 2003


 Vunerability(s):
 ----------------
 1. reverse tracerouting

 fingerprinting / discovery vunerability
 allowing intranet ( LAN ) mapping by way
 of Visualroute servers being
 accessed from the internet ( WAN )

 Product:
 --------
 http://www.visualware.com/personal/demo/index.html

 Reviews:
 -------- http://www.visualware.com/company/pressroom/coverage.html

 Description of product:
 -----------------------
 VisualRoute Server adds Web server functionality so that  multiple users
 can easily access the server via a Web browser,  regardless of their
 location.
 Traces originate from the VisualRoute Server system
  and may be run back to the end-user location or to
  any other IP address or Web server.



 VUNERABILITY / EXPLOIT
 ======================
 the core issue here is that by specififying an internal ip
 such as 192.168.0.*, 10.*.*.*, or 172.18.18.*
 or any other reserved ( private ) address you are
 able to map the internal lan structure via an external
 ( WAN ) address from the internet.


 standard trace route example:
 ------------------------------

 standard traceroute server request

 requesting a trace to from exploitlabs.com
 to a Visualroute Server we may see..

 output..

 12.230.0.205 ( exploitlabs.com )
 12.244.x.5 - isp router
 24.x.200.x - target isp router
 24.x.240.2 - target

 destination reached in bla seconds - complete
 packet loss 0%

 now on a Visualroute Server the originating
 trace begins at the target server, traces through
 routers to dest.

 so for example asking a server running Visualroute Server
 the same request we get

 24.x.240.2 - target ip
 24.x.200.x - target isp router
 12.244.x.5 - isp router
 12.230.0.205 ( exploitlabs.com )

 let us now assume the same target/Visualroute Server
  is behind a router/switch with port forwarding to the  Visualroute
 Server daemon

 192.168.0.2 - target originating system
 192.168.0.1 - target router / switch
 24.x.200.x  - target ip
 24.x.240.2  - target isp router
 12.244.x.5  - isp router
 12.230.0.205 ( exploitlabs.com )

 now we can discover the lan topology
  the traceroure was initiated from,
  as the origin of the trace is internal
  to the originating Visualroute Server


 Local:
 ------
 possibly

 Remote:
 -------
 yes

 Vendor Fix:
 -----------
 No fix on 0day


 Vendor Contact:
 ---------------
 Concurrent with this advisory
  sales@xxxxxxxxxxxxxx
 see below in this post

 Credits:
 --------
 Donnie Werner
 CTO E2 Labs
 morning_wood@xxxxxxxxxxx
 http://www.e2-labs.com
 http://nothackers.org - home of the 0day Security List


VENDOR RESPONSE
------------------------

> ----- Original Message -----
> From: "Julie Lancaster" <julie.lancaster@xxxxxxxxxxxxxx>
> To: "'morning_wood'" <se_cur_ity@xxxxxxxxxxx>
> Sent: Wednesday, October 01, 2003 8:42 PM
> Subject: RE: Visualroute Server - reverse tracerouting
>
>
> Hello,
>
> VisualRoute Server has a security option to prevent traces to secure IP
> addresses:
>
> Preventing traces to Secure IP Addresses: To prevent a VisualRoute trace
> to a particular IP address (or range of IP addresses), edit the
> .\data\user\secure.txt text file (a file you must create). Each line in
> this file is "cidr-address,x". For example, here is an example
> secure.txt file that secures two IP ranges:
>
> 198.242.57/24,x
> 201.109/16,x
>
> If there is an attempt to trace directly to any secure IP in this list,
> it will be treated like a DNS error (does not exist). If the IP address
> shows up in a trace, it will be replaced by the 'x' in the line
> definition.
>
> Regards,
> Julie Lancaster
>
> Visualware Inc. - Internet Security and Performance Tools
> www.visualware.com
>

> -----Original Message-----
> From: morning_wood [mailto:se_cur_ity@xxxxxxxxxxx]
> Sent: Wednesday, October 01, 2003 12:47 PM
> To: julie.lancaster@xxxxxxxxxxxxxx
> Subject: Re: Visualroute Server - reverse tracerouting
>
>
> Julie, thank you very much for the info
> and the timely response, did i miss it in the readme ?
>
> Donnie Werner
> CTO e2 labs
> http://e2-labs.com/about.htm
>
> ----- Original Message -----
> From: "Julie Lancaster" <julie.lancaster@xxxxxxxxxxxxxx>
> To: "'morning_wood'" <se_cur_ity@xxxxxxxxxxx>
> Sent: Wednesday, October 01, 2003 10:25 PM
> Subject: RE: Visualroute Server - reverse tracerouting
>
>
> Hello,
>
> The information is in the on-line manual, not the readme. You may find
> it right above the Host/Port section at this link,
> http://www.visualware.com/manuals/visualroute/manual.html#hostport.
>
> We provide the security option, but it is the responsibility of the
> administrator to set the security for their requirements.
>
> Regards,
> Julie Lancaster
>
> Visualware Inc. - Internet Security and Performance Tools
> www.visualware.com
>


----- Original Message -----
From: "morning_wood" <se_cur_ity@xxxxxxxxxxx>
To: <julie.lancaster@xxxxxxxxxxxxxx>
Sent: Wednesday, October 01, 2003 11:02 PM
Subject: Re: Visualroute Server - reverse tracerouting


> my apology, but this...
>
> -------------- snip ----------------
> Preventing traces to Secure IP Addresses: To prevent a VisualRoute trace
to
> a particular IP address (or range of IP addresses), edit the
> .\data\user\secure.txt text file (a file you must create). Each line in
this
> file is "cidr-address,x". For example, here is an example secure.txt file
> that secures two IP ranges
> ------------- snip ------------------
>
> should possibly suggest LAN  ip address ranges as the info
> provided is quite cluless as to even a seasoned admin
> i can bet in 99% of users they are just as cluless as the description
> itself is. i point out that even your list of servers at
> http://www.visualware.com/personal/demo/index.html
> *most* are vunerable to this exact attack.
>
> Donnie Werner
> CTO e2-labs.com