------------------------------------------------------------------ - EXPL-A-2003-025 exploitlabs.com Advisory 025 ------------------------------------------------------------------ -= Visualroute Server =- Donnie Werner Oct 1, 2003 Vunerability(s): ---------------- 1. reverse tracerouting fingerprinting / discovery vunerability allowing intranet ( LAN ) mapping by way of Visualroute servers being accessed from the internet ( WAN ) Product: -------- http://www.visualware.com/personal/demo/index.html Reviews: -------- http://www.visualware.com/company/pressroom/coverage.html Description of product: ----------------------- VisualRoute Server adds Web server functionality so that multiple users can easily access the server via a Web browser, regardless of their location. Traces originate from the VisualRoute Server system and may be run back to the end-user location or to any other IP address or Web server. VUNERABILITY / EXPLOIT ====================== the core issue here is that by specififying an internal ip such as 192.168.0.*, 10.*.*.*, or 172.18.18.* or any other reserved ( private ) address you are able to map the internal lan structure via an external ( WAN ) address from the internet. standard trace route example: ------------------------------ standard traceroute server request requesting a trace to from exploitlabs.com to a Visualroute Server we may see.. output.. 12.230.0.205 ( exploitlabs.com ) 12.244.x.5 - isp router 24.x.200.x - target isp router 24.x.240.2 - target destination reached in bla seconds - complete packet loss 0% now on a Visualroute Server the originating trace begins at the target server, traces through routers to dest. so for example asking a server running Visualroute Server the same request we get 24.x.240.2 - target ip 24.x.200.x - target isp router 12.244.x.5 - isp router 12.230.0.205 ( exploitlabs.com ) let us now assume the same target/Visualroute Server is behind a router/switch with port forwarding to the Visualroute Server daemon 192.168.0.2 - target originating system 192.168.0.1 - target router / switch 24.x.200.x - target ip 24.x.240.2 - target isp router 12.244.x.5 - isp router 12.230.0.205 ( exploitlabs.com ) now we can discover the lan topology the traceroure was initiated from, as the origin of the trace is internal to the originating Visualroute Server Local: ------ possibly Remote: ------- yes Vendor Fix: ----------- No fix on 0day Vendor Contact: --------------- Concurrent with this advisory sales@visualware.com Credits: -------- Donnie Werner CTO E2 Labs morning_wood@e2-labs.com http://www.e2-labs.com http://nothackers.org - home of the 0day Security List http://exploitlabs.com - plugging yer holes