IP leak affecting VPN providers with port forwarding

[wlanboy]

We have discovered a vulnerability in a number of providers that allows an attacker to expose the real IP address of a victim. “Port Fail” affects VPN providers that offer port forwarding and have no protection against this specific attack. Perfect Privacy users are protected from this attack. This IP leak affects all users: The victim does not need to use port forwarding, only the attacker has to set it up.


We have tested this with nine prominent VPN providers that offer port forwarding. Five of those were vulnerable to the attack and have been notified in advance so they could fix this issue before publication. However, other VPN providers may be vulnerable to this attack as we could not possibly test all existing VPN providers.


The attacker needs to meet the following requirements:


Has an active account at the same VPN provider as the victim

• Knows victim’s VPN exit IP address (can be obtained by various means, e.g. IRC or torrent client or by making the victim visit a website under the attackers control)
  
• The attacker sets up port forwarding. It makes no difference whether the victim has port forwarding activated or not.
  

The IP leak can then be triggered as follows:


Victim is connected to VPN server 1.2.3.4

• Victim’s routing table will look something like this:
  
• 0.0.0.0/0 -> 10.0.0.1 (internal vpn gateway ip)
  
• 1.2.3.4/32 -> 192.168.0.1 (old default gateway)
  
• Attacker connects to same server 1.2.3.4 (knows victim’s exit through IRC or other means)
  
• Attacker activates Port Forwarding on server 1.2.3.4, example port 12345
  
• Attacker gets the victim to visit 1.2.3.4:12345 (for example via embedding <img src=”http://1.2.3.4:12345/x.jpg”> on a website)
  

This connection will reveal the victim’s real IP to the attacker because of the “1.2.3.4/32 -> 192.168.0.1” vpn route.
The crucial issue here is that a VPN user connecting to his own VPN server will use his default route with his real IP address, as this is required for the VPN connection to work. If another user (the attacker) has port forwarding activated for his account on the same server, he can find out the real IP addresses of any user on the same VPN server by tricking him into visiting a link that redirects the traffic to a port under his control.


Also note that due to the nature of this attack all VPN protocols (IPSec, OpenVPN, PPTP, etc.) and all operating systems are affected.


https://www.perfect-privacy.com/blog/2015/11/26/ip-leak-vulnerability-affecting-vpn-providers-with-port-forwarding/

 

[KuJoe]

I never really liked the idea of shared VPN servers. I see the appeal and the benefits of them, I just never felt comfortable with them and this validates my concern. This is something that makes sense when you see it, but not something I would have ever thought about. Imagine all of the other attack vectors when somebody has access to the same VPN server/IP as you.

 

[HN-Matt]

The attacker needs to meet the following requirements:


Has an active account at the same VPN provider as the victim

• Knows victim’s VPN exit IP address (can be obtained by various means, e.g. IRC or torrent client or by making the victim visit a website under the attackers control)
  

Or... https://vpsboard.com/topic/8211-beware-of-ip-justification-and-your-personal-data-being-abused

 

[HN-Matt]

The attacker needs to meet the following requirements:


[...]

• Victim’s routing table will look something like this:
  
• 0.0.0.0/0 -> 10.0.0.1 (internal vpn gateway ip)
  
• 1.2.3.4/32 -> 192.168.0.1 (old default gateway)
  
• Attacker connects to same server 1.2.3.4 (knows victim’s exit through IRC or other means)
  
• Attacker activates Port Forwarding on server 1.2.3.4, example port 12345
  
• Attacker gets the victim to visit 1.2.3.4:12345 (for example via embedding <img src=”http://1.2.3.4:12345/x.jpg”> on a website)
  
• This connection will reveal the victim’s real IP to the attacker because of the “1.2.3.4/32 -> 192.168.0.1” vpn route.
  

Okay, so I wanted to ask this earlier but had to step out of the house for a bit. In what sense would the IP be 'revealed'? i.e. through a specific means of logging? Something else? Why not post the exact steps in this thread?

Or a better question, who would the 'attacker' be in this context other than a contemptible surveillance boffin?

 

[KuJoe]

Okay, so I wanted to ask this earlier but had to step out of the house for a bit. In what sense would the IP be 'revealed'? i.e. through a specific means of logging? Something else? Why not post the exact steps in this thread?

Or a better question, who would the 'attacker' be in this context other than a contemptible surveillance boffin?

I'm assuming error.log would show the IP in the 404 error.

 

[wlanboy]

In what sense would the IP be 'revealed'? i.e. through a specific means of logging? Something else? 

Not at all. The traffic can be forwarded to a defined server. So just look at the logs of the forwarded server.
A simple img tag on a regular website targeting the ip address of the vpn server is enough to get the real ips of all visitors using that vpn server.

 

[HN-Matt]

I never really liked the idea of shared VPN servers.

Or VPN in general: https://gist.github.com/joepie91/5a9909939e6ce7d09e29

I gotta say though, this seemingly never ending accumulation of 'internet security' theatrics / hysteria is really too much sometimes. As in superfluous. If you know what you're doing, all you really need is plaintext and a good brand of tinfoil at the end of the day (even the tinfoil is somewhat unnecessary, although I've found if you form it into a kippa it can help with headaches, strangely enough).


No shared VPN here, but gonna see if lil old me can reproduce the attack out of curiosity.

 

[KuJoe]

@HN-Matt thanks for sharing that link! I always love reading articles like that from @joepie91 even if I don't agree/understand them I find them enjoyable (not saying I don't agree/understand this one, just pointing out that his articles pair well with an open mind).


I personally use a VPN/proxy more often than I used to, but that's a byproduct of using a remote 24x7 jump box to do my daily work and not because I wanted privacy/security. I can see why some people feel like they need a VPN/proxy but for me it would be basically useless.

 

[MannDude]

My VPN provider warned me about this a couple weeks ago. I still prefer, like KuJoe said, running your own private VPN... but one of the benefits of using a service like PrivateInternetAccess (Which I use) is the ability to easily switch between many different locations and just general ease of use.

 

[KuJoe]

I have a PIA account also, but it's mainly for my family and friends to use.

 

[HN-Matt]

I personally use a VPN/proxy more often than I used to, but that's a byproduct of using a remote 24x7 jump box to do my daily work and not because I wanted privacy/security. I can see why some people feel like they need a VPN/proxy but for me it would be basically useless.

Don't get me wrong, I'm totally against the manipulative logic of 'why encrypt if you have nothing to hide?' and so on. I don't think VPN or proxies are necessarily useless either, although more and more it seems like you won't get much mileage out of them if you're not exceptionally versed in all of the potential holes and stress positions.

I'm partially joking re: plaintext, but I also think certain suggestions and connotations of open source language are 'already encrypted' depending on context, interlocutor, etc. To that extent adding additional layers of encryption may only function as superfluous translation into meaninglessness.

 

[wlanboy]

For me VPN has two main reasons:

• Getting a specific IP - kudos to the content providers
  
• Getting out of a public net - avoiding hotel and airport WLANs
  

Both reasons do not include hiding my identity.