Comments on: NAT Pinning and ABE

By: Giorgio

Giorgio — Sun, 24 Jan 2010 13:58:21 +0000

@Sorrow:
Both are invalid endpoints, so they’re both OK as long as the OS immediately rejectS them for connection building, improving responsiveness.

By: Sorrow

Sorrow — Sat, 23 Jan 2010 21:45:44 +0000

I have a question again, Giorgio, even though it may have been asked already.

What’s the benefits of employing 255.255.255.0 as your redirect address/local domain within your hosts file, instead of using 0.0.0.0?

Wouldn’t those two addresses offer the same benefits overall? Or will using the subnet mask 255.255.255.0 do something else I’m not aware of?

Just curious what you have to say about it.

P.S. I referenced your knowledge on the Wikipedia article for Hosts file.

By: Giorgio

Giorgio — Thu, 14 Jan 2010 22:26:58 +0000

@Christophe:
Technically yes, but

Blocking common alternate HTTP ports such as 8080, 8081, 8090, 8443, 9080 and so on it’s undesirable.
As far as we currently know, we just need to block IRC, SIP and FTP. My regular expression blocks more just to be safe, but tries not to exceed in strictness.

By: Christophe

Christophe — Thu, 14 Jan 2010 16:09:51 +0000

Shouldn’t the regular expression be

^https?://[^/]+:([1-35-79]|8(?!0)|8(?=0\d)|4(?!43)|4(?=\d{3}))

in order to prevent connections to ports different from 80 and 443? The expression used in the post still allows port 45, 81, 9, etc.

Warning: I assume no one will start the port number with 0, seems rather unlikely a link using that will be up to something good.

By: Week 1 in Review – 2010 | Infosec Events

Week 1 in Review – 2010 | Infosec Events — Tue, 12 Jan 2010 10:10:39 +0000

[…] NAT Pinning and ABE – hackademix.net Some feedback on NAT pinning and prevention of attacks using this. […]

By: Giorgio

Giorgio — Fri, 08 Jan 2010 20:18:17 +0000

@ac:

Another thing: I’m curious if this can be used to open a port to another system on network than the one that’s used to send the command eg by guessing the internal IP?

Apparently yes. And before the two bugs you named were fixed, you didn’t even need to guess the IP…

By: ac

ac — Fri, 08 Jan 2010 18:32:21 +0000

@#3 Giorgio
Many thanks for clearing up my misconception!
I suppose the only patch (besides using NoScipt of course) is to disable ip_conntrack_ftp.o and ip_conntrack_irc.o on 2.4.* or nf_nat_ftp.ko and nf_nat_irc.ko on 2.6.*
Will have to look how much functionality this breaks.

Another thing: I’m curious if this can be used to open a port to another system on network than the one that’s used to send the command eg by guessing the internal IP?

By: HNicolai

HNicolai — Fri, 08 Jan 2010 14:39:09 +0000

I tried the vulnerable yesterday, and it seems like ABE blocked it successfully. When I clicked on the link, then ABE came with a "Warning" and my router hasn’t forwarded any ports :)

But i’m still writting "Site ^https?://[^/]+:[0-35-7] (newline) Deny" in my USER.abe file

By: AnonCoward

AnonCoward — Fri, 08 Jan 2010 14:19:13 +0000

Wow!
Brisk work.
So now most of all, thoughty, Samy *and* Giorgio are my heroes.

By: Giorgio

Giorgio — Fri, 08 Jan 2010 13:57:57 +0000

@ac:
No, this one has never been fixed because it’s not a bug.
This issue is related to the fixed bug you found (it affects the same functionality), but in this case the functionality is working as expected, allowing the remote IP to connect with the originating IP at the requested port.
So Linux-based routers are still affected, and they are unlikely to be patched any time soon against a non-bug…