Professional Documents
Culture Documents
Dan Kaminsky
Director of Penetration Testing
IOActive, Inc.
2,3,4,5,100,203]
Normal FTP Transaction, Real IP, Lowercase: timeout
AbyssPrint Demo: Unknown Device
• Normal FTP Transaction, Real IP: NATted [200 PORT
3,4,5,6,39,206]
No-Login FTP Transaction, Real IP: NATted [200 PORT
3,4,5,6,39,208]
Missing TYPE I FTP Transaction, Real IP: NATted [200 PORT
3,4,5,6,39,210]
Normal FTP Transaction, Wrong IP: ignored
No-Login FTP Transaction, Wrong IP: ignored
Normal FTP Transaction, Bad IP: timeout
No-Login FTP Transaction, Bad IP: NATted [200 PORT
FOO,100,200]
Normal FTP Transaction, Real IP, Pre-Space: ignored
Normal FTP Transaction, Real IP, Post-Space: timeout
Normal FTP Transaction, Real IP, Space to Multispace: timeout
Normal FTP Transaction, Real IP, Space to Tab: NATted [200 PORT
3,4,5,6,39,220]
Normal FTP Transaction, Real IP, Lowercase: timeout
AbyssPrint: Easy to see transparent
proxies (just look for extra headers)
• HTTP 1.0 Request For www.doxpara.com (port 80):
Transparent Proxy Detected
…
• Content-Length: 269
• Content-Type: text/html
• X-Cache: MISS from deluvian.doxpara.com
• Via: 1.0 deluvian.doxpara.com (squid/3.0.STABLE13)
• (Client->Server) Via: 1.0 deluvian.doxpara.com
(squid/3.0.STABLE13)
• (Client->Server) X-Forwarded-For: 5.6.7.8
• (Client->Server) Host: www.doxpara.com
• (Client->Server) Cache-Control: max-age=259200
• (Client->Server) Connection: keep-alive
Takeaways[0]
• 1) No really, you need to patch your infrastructure
– Vendors, that means you need to fuzz your
products before you ship them, and
increasingly get ready to ship emergency
patches
– IT Purchasing, buy stuff that won’t leave your
staff holding the bag
– IT Ops, take your existing policies for how
you’d handle a critical patch on a domain
controller, and look at your various inspectors
Takeaways[1]
• Cross-Organizational Risk
– DPI technologies in general are pretty risky to
deploy across organizational boundaries
• At least active ones are
– The simple reality is they always expose more
functionality than you think they are
– Toorcon talk last year from Jason Larsen and I
– two ad networks control the security of every
website for major ISPs? Really?
Fixing Sockets?
• According to firewall vendors, limiting ports isn’t interesting to them
– They’re making all their filters no longer care what port
something is sent on
– Also can’t just pull every socket app out there
• Possible fix: ALG the Policy Retrieval
– There’s a policy retrieve in Flash, that allows sockets to work
– Have the firewall inform the plugin that it’s there, and that all
sockets should use inline policy
• Begin each TCP session with a policy request, have policy
returned with each socket (obviously with no other ALG
allowed on that socket)
• Does require some translation of existing policies
– Biggest challenge: Three different plugins have three different
socket policy engines. Java uses Reverse DNS, Flash and
Silverlight use similar cross-domain.xml files
• This should really be cleaned up
Fixing Proxies
• This is a more tractable problem
– At minimum, keep transparent proxy from being used for internal
resources
• Can be done in the rewriting engine
• Can also be done with Proxy Autoconfiguration Scripts
• Updating cache policy
– Existing policies
• Trust client supplied IP, cache on IP/Host
• Ignore client supplied IP, cache on Host
• Trust client supplied IP, cache on Host
– New policy, from myself, Robert Auger, and Amit Klein
• Trust client supplied IP, return content immediately, cache only
after DNS lookup
– If IP from client shows up in DNS list, allow caching
– Somewhat reduced hitrate, but pretty good (weird CDN
bugs aside)
• Proxy chaining makes this a little tricky
Seriously, home routers
• Don’t accept default passwords after 10
minutes from power cycle!
• Browsers are going to be exposing home
web interfaces for the foreseeable future
Is that it?
• Aw no, one last piece of fun
– Problem: NAT2NAT
• Two clients, both behind NATs that only allow
outbound connectivity, have trouble communicating
with one another
– Common Solution: UDP
• Pretty easy to broker connectivity over UDP – flinging
packets at eachother with the appropriate ports tends
to allow connectivity
– Sometimes NATs make this really easy and don’t
care what IP address is flinging the packets
• Every game does this
• Problem: No TCP reliability / flow control stack
– Oh well, we’ll just write our own!
O HAI CONGESTION COLLAPSE
• NOOOOOOOOOOOOOOOOOOOOOO
OOOOOOOOOOOOOOOOOOOOOOO
OOOOOOOOOOOOOOOOOOOOOOO
OOOOOOOOOOOOOOOOOOOOOOO
OOOOOOOOOOOOOOOOOOOOOOO
OOOOOOOOOOOOOOOOOOOOOOO
OOOOOOOOOOOOOOOOOOOOOOO
OOOOOOOOOOOOOOOOOOOOOOO
Can We Get TCP NAT2NAT?
• The common way: UPNP
– ~50% of home routers, 0% of corporate
routers
• The hideous way
– My 2001 Black Ops talk – terrible tricks
with TTLs
• The new way!
– FTP ALG!
An Idea
• Idea: Set up a command channel to a broker – not with a
browser, but with an actual application
• Tell the broker to connect back with a PORT command
• The broker tells your peer to connect to the named PORT
• This does not usually work. The peer has a different IP
address and most NATs are actually smart enough to
notice
– There are other protocols not so restricted, but FTP is
universal
– Obviously, we can’t do a FTP command channel to our
peer; if we could, we’d just route our data over that TCP
session!
– But what if we did connect to our peer…and a broker
impersonated him accepting our traffic?
An Idea, Restored: What If The NAT2NAT
Broker Impersonated ACKs for a FTP
Command Channel?
• 1) Alice sends a SYN to Bob on Port 21. Bob
ignores – firewalled! Alice tells the Broker port and
seq# information.
• 2) Broker spoofs the correct SYN|ACK to Alice as
Bob. Alice’s NAT accepts – port and seq#
matches!
• 3) Alice sends each message of a FTP command
channel. Broker spoofs ACKs for each command.
Once Alice passes PORT and RETR, a firewall
hole is open.
• 4) Broker tells Bob to connect to the open port.
• 5) Bob connects – WIN!
Implementation Details for The Blind
FTP NAT2NAT Broker
• 1) If firewalls change the SEQ#’s, we’re hosed – client
doesn’t know what SEQ# the Broker should ACK
• 2) Need to figure out which port the firewall will assign for the
external FTP listener
– Could be anything
• 3) Depends on the foreign firewall not sending RST|ACKs
– No problem, this is common
• 4) Only requires a sniffer on Alice, and nothing special on
Bob
– Just need the SEQ#
• Otherwise, this should work!
Conclusions
• Networking is fun
• Patch your infrastructure
– It shouldn’t be this fun
• Be really careful what you deploy where
• There’s lots of old stuff that didn’t actually
get fixed
– Sometimes didn’t == couldn’t