This Week In Security: TunnelCrack, Mutant, And Not Discord

Up first is a clever attack against VPNs, using some clever DNS and routing tricks. The technique is known as TunnelCrack (PDF), and every VPN tested was vulnerable to one of the two attacks, on at least one supported platform.

The first attack assumes an attacker is on the same network as the victim, and works by manipulating the victim’s routing tables. How? DHCP. We’re used to DHCP giving out local network addresses, but there’s nothing to prevent giving a client a fully routable address. Now here’s the trick: Many VPN clients make an exception for traffic sent to the local network. An attacker just hands out an address and subnet telling the victim machine that the entire Internet is on the local network. The attacker can capture all that traffic, route it correctly, and the VPN user doesn’t know the difference.

The mitigation is to disable local network access while the VPN is connected. Many clients do this, at least on some platforms. It was interesting to see that on iOS every tested app was vulnerable to this data leaking attack, and nearly every one of them on the macOS. It appears that the iOS API for working with VPNs has only recently introduced a control for how to handle local network traffic, leading to the abysmal results.

The second attack moves that attacker out of the local network, and somewhere on the network path, able to capture traffic and mess with DNS. Keep in mind that once a VPN is established, DNS traffic should flow though the VPN, but there is a narrow window to cause grief — when the VPN client does the DNS resolution to find the VPN server IP address. Now keep in mind, that is an attack pattern that VPNs are designed to handle. Any VPN client worth its salt authenticates the VPN server it’s connecting to. The problem is that most VPN clients also have a rule, that traffic sent to the connected VPN server is exempt from being encrypted by the VPN.

The attack is to spoof the VPN DNS to point at the Internet address that will receive the traffic you want to capture. Let’s just say you know my VPN server is at vpns.example.com, and you want to capture my connection to Hackaday. Hackaday uses the IP 192.0.66.96. So you spoof the vpns.example.com DNS request, and tell my VPN client that it should connect to 192.0.66.96. Then, because you are on the network path, you can redirect those VPN packets to the real VPN server. But when I connect to Hackaday on purpose, the destination IP matches the VPN IP, and some clients will just send that traffic outside the VPN.

The twofold solution is to use one of the various secure DNS extensions, like DNSSEC or DoH, and then to write VPN clients that can keep track of which connections are VPN traffic, and which are not. For those wondering, our favorite VPN technology, Wireguard, fared well on the test. On Linux and Android, it got a perfect score, and only the macOS and iOS versions really had a problem, allowing local network traffic to escape the VPN.

Decipher the Mutant, Capture the Flag

[Vikrant] put together a Capture the Flag (CTF) entry for AppSec Village at DEF CON this year. It was based around the Mutant language, which is an attempt at compiling code into an encrypted state, to keep it secure and hard to reverse-engineer. The problem with those obscured-code ideas is that there has to be a way to disentangle that code in order to run it.

The way to solve this challenge was to borrow code from the official Mutant compiler, and build a deobfuscator using the official code. That’s not to say it’s an easy challenge, but it’s not clear that Mutant will do a whole lot to actually improve security. But as a project, it’s a lot of fun, and makes for a great CTF challenge.

The Other Discord

760,000 user records have leaked from Discord.io. That’s a bunch of usernames, email addresses, and password hashes from the Discord.io service, which is completely separate from the Discord web site. Discord.io is a third party service that provides customized Discord invites. And while it’s no fun that this information escaped, at least it wasn’t the Discord user database. That would be just about all of us.

Bits and Bytes

Nmap is great for scanning for machines and open ports. The only down side is… it’s kinda slow. This irritated [Joshua] enough to dig into why — and how to fix it. It turns out nmap is being slow on purpose. There is something to be said for not DOS’ing the scan target after all. If it’s just too slow for your tastes too, it turns out the solution is a tweaked value in service_scan.h and a recompile. Now you know.

Apple has joined the ranks of OS vendors that now include anti-malware scanners in their OS. On macOS, that’s XProtect Remediator (XPR). And if you’ve ever checked up on what XPR is doing on a Mac machine, you may find it a bit odd. Apple has picked some unique names for the malware XPRD is looking for, so you’ll see log messages like FloppyFlipper NoThreatDetected status_code 20. Silly name, but all is well. The other message to know about is BadPluginServiceSignature, which sounds terrible, but just means that the XPR definitions have been updates, and the scanning services are restarting to grab the new definitions.

And if you didn’t make Black Hat this year, you can join in some of the fun a bit late, as the slides from various presentations have been released. Those will have to hold us over for now, though keep an eye on the Black Hat Youtube channel, to eventually get the talk recordings, too. And if you see something in there that we missed, let us know about it!

10 thoughts on “This Week In Security: TunnelCrack, Mutant, And Not Discord

  1. Regarding the discord.io leak: it will be “all” of us, when FOSS project keep on using that platform. It’s a proprietary mess, invented for gamers. I will never understand why hackers use this, as it forces people who want nothing to do with that pile of crap to use it, just to get community support. That practice needs to stop. Many projects have the most interesting information encapsuled in that software stack and do not even bother to make it available on their wikis anymore. I get that maintaining an actual server is a lot for community projects, but keeping a git repo, a wiki an a discord “server” maintained certainly not easier. I’d rather wait for a response on a forum and produce permanent info for others that would ask the same question over and over again in a stupid discord.

    1. I’ve watched forums live and die for 20 years, at a certain point in a forums life cycle the long term inhabitants leave, they’ve shared their knowledge and move on.

      Those who remain get grumpy with the repeated questioning, they want to sit quietly in their library and review the content they already have.

      Inevitably every new thread gets the same response, at first it’s helpful links to the information they seek, eventually it’s a link to the search box, and before long vitriolic responders complaining about the new users lack of care to “help themselves”.

      Continually moving conversation helps solve this problem, it lets new users fluidly shift through the stages of n00b, competent, mentor, master, observer and then on to the next thing. The continual shift of conversation lends itself to ongoing signs of life, meaning the next n00b on the scene will not see a last message date from 3 years ago, assume the project is dead and leave.

        1. Ironically proving the point they made.

          Honestly op’s observation rings very true – otherwise we would be having this conversation on Usenet.

          Of course, there are myriad other reasons why a community centers around – and moves – platforms. Ease of access and use and amenities are big ones. The same way an after work get together might happen at a bar near the office- and why it might move to one that has less noise or better arcade machines.

          Discord isn’t perfect, and it’s 100% frustrating information ends up in a deep-web, but compared to something like a wiki or IRC it’s much easier to split off conversations, gate off advanced discussion channels, and gather / disseminate information quickly.

          1. I am all for modern collaboration tools, the problem is that information needs to be accessible and curated IMHO. Searching for the latest quirks and features of my 3D printing firmwares latest beta in any sort of chat based software, be it IRC, discord or matrix, is a horrible and confusing user experience. On top of that, the proprietary nature of discord and lots of similar software monetizes your data in exchange for your privacy. I agree that forums die easily and toxic people drive newcomers away on any platform. that does not change the fact, that a wiki should be where information is curated and a conversational tool should be used for community support and hanging out, which does not sell your private data and jeopardizes your credentials with corporate single sign on offerings. doesn’t have anything to do with age, either. what we need is an open source alternative to discord, that is easy to host and more community effort to make information more persistant on wikis.

          2. > compared to something like a wiki or IRC it’s much easier to split off conversations, gate off advanced discussion channels, and gather / disseminate information quickly.

            Sure, but any early-2000s forum lets you do this too. Most forum platforms also support chat and direct messaging. PHPbb was (is) great!

  2. The VPN attacks sound really bad for people in countries like Iran, Russia, and China trying to use VPNs to bypass censorship. Is this as bad as it seems (especially if someone is using their VPN connection while on a cell network)?

  3. When I saw “The Other Discord” was I thinking “Hey, I’m gonna learn about a Discord alternative”.
    Then I learnt that there is discord.COM and discord.IO.
    So the discord people do know that it is good to have not every thing at same place.
    Next are regular people to know that it is not good to have every thing at discord.com

Leave a Reply

Please be kind and respectful to help make the comments section excellent. (Comment Policy)

This site uses Akismet to reduce spam. Learn how your comment data is processed.