A firewall won't stop this one

Discussion in 'Computer Security' started by NetUser, Nov 1, 2003.

  1. NetUser

    NetUser Guest

    There is definitely something going on with IP address 127.0.0.1, or there
    soon will be. Maybe it's been going on for a long time.

    If a site registers its IP as 127.0.0.1, and its url is placed in a blind,
    background link (such as a traffic tracking link), what will happen is that
    when your browser reads the html that contains this link, it will dutifully
    pick up and execute the link (of course). But then it will go to the dns
    system and be instructed to go to 127.0.0.1 for that url. It will then
    happily poke around in your machine, doing whatever the link told it to do.

    For example, if some site like "sneakysite1001.com" registers a 127.0.0.1 IP
    address, and some other site (any other site) has http://sneakysite1001.com
    in its html code, and you surf there, then your browser will say "Hmmm,
    where is sneakysite1001.com? Oh, it's at 127.0.0.1," and it will proceed to
    hit your port 80. This will happen, whether port 80 is blocked on your ISP
    or not, or wherther your firewall blocks port 80 or not. And your browser
    will start reporting that you are sneakysite1001.com! Of course! 127.0.0.1
    is sneakysite1001.com, and your machine is 127.0.0.1, so...

    Now for the fun part. What if the link in anysite.com is to
    http://sneakysite1001.com:445?turn-over-your-firstborn.now

    Well, your browser will pass "turn-over-your-firstborn.now" to your own port
    445, firewall or no firewall. Or it could send any message to any port they
    like.

    Hmm, this can be embedded in any html, in any e-mail, or on any website, and
    all with plausible deniability. "Oh, we thought it was a traffic tracker."

    I have been telling people about this... but nobody understands or cares. I
    guess somebody will have to write a worm that hits some port with an
    undocumented takeover command, before anybody will listen. Of course, maybe
    it's already going on. Maybe it's a well-known back door. Hmmmm... Time
    to make it public, I think.

    They are using porn sites now, I guess so that we will zone out. "Oh well,
    you shouldn't go to porn sites." Never mind that the link could be in
    www.whitehouse.gov.

    Here's one of the links: http://track.sexportal2000.com - this one is all
    over the place.

    also mail.sexportal2000.com - isn't that special!

    also http://www.sexportal2000.com

    Check them out - "not public" is the owner, the host is supposedly in
    Bulgaria, the dns servers are in Vancouver, B.C., Canada, and the IP is
    127.0.0.1 - and it has been, for weeks that I know of.

    Or try this:

    Put a little webserver on your machine on port 80, with a "Hi there,
    hello-world" page on it, so you will know when your browser hits your port
    80. Block your port 80 with your firewall. If your ISP blocks port 80, so
    much the better. If your website can log, turn on the logging for later
    review.

    Point your browser at http://www.sexportal2000.com - hey, how did your
    little site get on there?

    Then go to http://www.geocities.com/thebestnumber9/ and scroll down a little
    to the link to http://www.freakzone2000.com/adult.htm and click on that.
    Again you will get your own little site from your own port 80. But, if you
    manually type http://www.freakzone2000.com/adult.htm into your browser, you
    get an entirely different site. So, somebody is conditionally linking to
    127.0.0.1, or not, depending on some condition. Very interesting. no? This
    is not new, I found this weeks ago.

    Hmm, you have port 80 blocked, so how did they get in? Hmmmmm. I'm telling
    you, they can hit any port they want to.
     
    NetUser, Nov 1, 2003
    #1
    1. Advertisements

  2. NetUser

    Dazz Guest

    On Sat, 01 Nov 2003 21:35:31 GMT, "NetUser"

    Debbie? Is that you?

    Dazz
     
    Dazz, Nov 2, 2003
    #2
    1. Advertisements



  3. my first thought also.



    --
    Colonel Flagg
    http://www.internetwarzone.org/

    Privacy at a click:
    http://www.cotse.net

    Q: How many Bill Gates does it take to change a lightbulb?
    A: None, he just defines Darkness? as the new industry standard..."

    "...I see stupid people."
     
    Colonel Flagg, Nov 2, 2003
    #3
  4. NetUser

    Pete Guest

    Why would someone do this ? Beats the hell out of me.

    --
    Regards,

    Pete.

    'War doesn't prove who's right, just who's left.'
     
    Pete, Nov 2, 2003
    #4
  5. NetUser

    Pete Guest

    Why would someone do this ? Beats the hell out of me...
     
    Pete, Nov 2, 2003
    #5
  6. NetUser

    reshman Guest

    So I guess you just have to be careful what services you have open on your
    machine..........which you should be doing anyways!

    -Mike
     
    reshman, Nov 2, 2003
    #6
  7. NetUser

    Volker Birk Guest

    Yes.

    That is one of the reasons for http://www.fefe.de/pffaq/

    It is completely impossible to deny comminication for applications,
    without having a real sandbox. For processes you're needing a
    virtual machine for that point. All other "sandboxing", as implemented
    by the personal firewalls, will not work at all.

    If you're starting a process which only listens on localhost, you can
    in spite of all port-filtering on the interfaces send data to it by
    using localhost URLs.

    As an example.
    They're using redirecting in HTTP.

    You're watching layer 5/6 communication here. You can stop that by
    implementing a filtering proxy for your firewall. Portfiltering
    does not work for that, it's layer 3/4.

    VB.
     
    Volker Birk, Nov 2, 2003
    #7
  8. NetUser

    Volker Birk Guest

    By the document part of the URL, you can send data to the process
    listening on localhost. An easy example:

    Some application wants to "phone home" and get and send information
    from and to there.

    localhost linking is one of the possibilities to send data from
    a website to a local process, ignoring all filtering in the layers
    below 5.

    The local application i.e. opens port 80 on localhost and listens.
    The remote applications redirects to a document with
    http://127.0.0.1/information/to/send

    Then the local application is asked by user's browser with an
    GET /information/to/send on localhost.

    The application processes this request. Then it redirects to an
    external URL again, i.e. again on the remote application's web server.
    It codes the information to reply into the path part of the URL
    again.

    As a result you have communication between your local application
    and the application on the remote web server without violating port
    filtering, because you're communicating layer 5/6.

    You can stop that for example by using a proxy for your browser which
    filters any URL with a localhost address from outside.

    VB.
     
    Volker Birk, Nov 2, 2003
    #8
  9. NetUser

    sponge Guest

    If you knew anything about abuse, you'd know that spam sites have have
    their domains set to localhost to prevent spamvertised links from
    being usable. How far this goes depends upon the ISP and whether or
    not it's the DNS host or actual site host that processes complaints
    first, but this is how many "warnings" and "suspensions" are handled.
    Some spam-friendly ISPs will also do this with a domain but leave the
    actual site running, so existing users or those connecting via an
    aliased domain will not be affected. That's why it's becoming more and
    more necessary to address complaints to connectivity providers when
    you're dealing with a spam-friendly hosting provider.

    Sponge
    Sponge's Secure Solutions
    www.geocities.com/yosponge
    My new email: yosponge2 att yahoo dott com
     
    sponge, Nov 2, 2003
    #9
  10. *snip*
    aww.... i made the wittle woser mad at me... lol....

    of course you know that localhost is 127.0.0.1 ~smirk~

    so what you're saying is, you don't know how to sandbox your local
    machine?

    yes, i flame. idiots. morons. you know, folks like you.


    --
    Colonel Flagg
    http://www.internetwarzone.org/

    Privacy at a click:
    http://www.cotse.net

    Q: How many Bill Gates does it take to change a lightbulb?
    A: None, he just defines Darkness? as the new industry standard..."

    "...I see stupid people."
     
    Colonel Flagg, Nov 2, 2003
    #10
  11. dance. dance string boy.





    --
    Colonel Flagg
    http://www.internetwarzone.org/

    Privacy at a click:
    http://www.cotse.net

    Q: How many Bill Gates does it take to change a lightbulb?
    A: None, he just defines Darkness? as the new industry standard..."

    "...I see stupid people."
     
    Colonel Flagg, Nov 2, 2003
    #11
  12. Considering it would be a web link, how is port 445 or any other port
    not running a web server going to understand the http get or post?
    They'll all return a 503 whether the port is open or closed if there
    isn't a web server running on it. Of course if it is a CONNECT and
    successful, then your problem is an open CONNECT proxy (a surprisingly
    common misconfiguration).

    About the only ways of being successful with this would be java,
    javascript, flash, or some type of compiled plugin that executes on your
    machine to run a port scan of localhost and can return that data to the
    requester. Either that or a trojan, but neither of those methods are
    anything new.

    /steve
     
    Stephen K. Gielda, Nov 2, 2003
    #12
  13. Flagg -

    Please don't feed the trolls.
     
    Dave Thornburgh, Nov 2, 2003
    #13
  14. NetUser

    NetUser Guest

    Sure, if it is an http link, it should only have access to open
    subdirectories in some www directory. But it's redirectable, so it can pass
    odd things to ports. And the link could have been an ftp, telnet, POP3,
    SMTP, HTTPS, or anything, so it could have passed pretty much anything to
    anything, on any port. The port-blocking action of the firewall is
    ineffective against it, so things that were never a problem can suddenly
    become real big problems.

    Isn't that a matter of some concern? We don't really know what was left
    ticking on what ports for this worm to tickle. Maybe they shouldn't be
    there on a properly configured network, but they are behind firewalls so
    nobody noticed them. And now, they are accessible. All you have to do is
    read trick-link e-mail with http turned on, or browse a trick-link website.
    The defense is some technique almost nobody ever heard of. I predict
    trouble.
     
    NetUser, Nov 2, 2003
    #14
  15. How is it going to be redirected unless you tell your machine to
    redirect it?
    No, it's not. You'd have to set up a webserver listening on that port
    to get a response from a link, or you'd have to set up your machine to
    redirect the port. Any other method of getting to localhost is a trojan
    or java/javascript/flash/etc expoit, all of which are not new.
    Accessible, maybe, to a simple get request on a web link, no, not unless
    there is a web server running on that port.
    It's still not going to work unless you have a webserver on the port it
    links to, or it's executing code (ie. trojan, java, etc).

    /steve
     
    Stephen K. Gielda, Nov 2, 2003
    #15
  16. NetUser

    dkg_ctc Guest

    I probably shouldn't be replying, because it will probably go right
    over your troll-like little head, but ok, here goes...

    Debbie is similar to you--a troll who pretends as if it/she/he
    actually has a clue about how the internet works when in reality
    it/she/he doesn't.
    Mr. Kettle, I'd like to introduce you to Mr. Pot...

    *snip*
    Ok, so they link to your internal machine...and then? The
    communication doesn't go from your machine, through the remote
    machine, back to your machine, then back to the remote machine, then
    back to your machine. The activity is from your machine, to your
    machine--no middle hop.
    Nothing happens, because port 445 doesn't understand HTTP.
    No, YOU poke your port 445. Basically, they tell you to poke
    yourself (a suggestion which I'm sure you've received numerous
    times).
    Again, there are two problems with this:

    1.) The poking around only works from your computer, to your
    computer.

    2.) The remote computer does not see the results.

    3.) Unless the port that the remote computer is having you probe is
    an HTTP server, it likely won't even understand the request that your
    browser sends to it.
    Do you?
    *rest of the ignorant rant snipped*

    Just to recap:

    1.) If you go to a webpage that points you to 127.0.0.1, YOU are
    going to your computer through no one. Thus, no remote site will see
    the results of these connection attempts.

    2.) If you go to a webpage that points you to 127.0.0.1, no useful
    information will be given to the port that is pointed to, nor will any
    useful information be outputted to the browser, unless application
    which is listening on the port understands the HTTP protocol.

    3.) Debbie is a troll who, despite being clueless with regards to
    security, preaches as if it/he/she is the greatest thing to happen to
    privacy/security since the Enigma machine. So are you.
     
    dkg_ctc, Nov 3, 2003
    #16
  17. NetUser

    dkg_ctc Guest

    *snip*

    Without going into the details of how flawed the reasoning of the
    author of that page is, that page refers specifically to
    software firewalls...are you suggesting that hardware firewalls
    prevent you from connecting to localhost? If you aren't suggesting
    that hardware firewalls prevent connections to localhost (and I
    certanily hope you aren't), then I'm not sure what that page has to
    do with the subject at hand...

    (Not to mention the fact that, depending on the software firewall
    which is installed, you can block access from certain
    applications to 127.0.0.1...although I have to admit that I'm not sure
    why someone would want to.)
     
    dkg_ctc, Nov 3, 2003
    #17
  18. NetUser

    Volker Birk Guest

    That is a misunderstanding.

    The problem are the so called "Personal Firewalls".

    A firewall is the concept to define all traffic between two
    security zones on one single point of communication.

    To implement a firewall you can use just hard wired hardware,
    or a computing system like an implementation of von Neumann's machine
    as you find it i.e. in a PC.

    But to have a firewall, you need a security concept which contains
    a zone plan.

    What you're talking about is filtering software.

    "Personal Firewalls" often try to implement host based packet filters
    and some kind of "sandboxing". Both things they're implementing bad.

    Most of the products which are selled as "Personal Firewalls" are
    implementing packet filtering in user space by modifying the DLL
    which contains the WinSock implementation. Also the sandboxing is
    very bad, because for sandboxing processes you're needing virtual
    machines, and no "Personal Firewall" I know implements virtual
    machines.

    Even the "Personal Firewalls", which are using the kernel functions
    of Windows for packet filtering, are doing that very bad - they're
    offering user interface for unprivileged users on a windowing
    system where IPC is offered by pushing and without any authentication
    at all.

    But even if "Personal Firewalls" would be implemented better, they
    would not work for the jobs they're offered by only implementing
    packet filtering as a filter function, because communication can
    proceed easy also in other network layers than 3/4.

    Of course no filtering system at all can be perfect in theory.

    VB.
     
    Volker Birk, Nov 3, 2003
    #18
  19. NetUser

    NetUser Guest

    Actually, there was useful information in your post, dkg. This sets you
    apart from several others here.

    I submit that I was not attacking you, but I was responding to poor behavior
    from CF. I can only wonder why you freely offer your remarks to me, and yet
    withhold your comments from the good Colonel. Heck, by comparison I am not
    bad at all.

    How would the redirect occur? Through the addition of the :(XXX) following
    the address in the url. XXX = redirect port number. You know that. Why
    did you ask?

    It would only be an HTTP request? Can't it be a telnet, pop3, smtp, ftp,
    etc, depending on the url of the invisible link? And does it really matter?
    It can pass info. As I said earlier, who knows what Microsoft has left
    ticking for us in their ports? The various flavors of Linux, Unix and
    Apple, too. Nobody is perfect, not even me! :)

    Now comes the test. Can you respond without flaming? Or are you no better
    than Colonel Flagg there? I don't really care, it's your life.
     
    NetUser, Nov 3, 2003
    #19
  20. Tell you what, come up with a proof of concept that actually does
    something and returns it to another server. Possibly as you attempt
    this you'll learn why what you say is not feasible. Either that or
    you'll prove me wrong and if you do I'll give you front page coverage
    for your proof of concept on www.cotse.com.

    /steve
     
    Stephen K. Gielda, Nov 3, 2003
    #20
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.