Another Method to Block Java Hijinks

Kyle Williams kyle.kwilliams at gmail.com
Tue Apr 10 03:20:35 UTC 2007


On 4/9/07, Ben Wilhelm <zorba-tor at pavlovian.net> wrote:
>
>
>
> Roger Dingledine wrote:
> > Kyle: this would be more useful if it didn't depend on a non-free vm
> > player. Do any of the free software variants of VMWare actually work
> > well enough for this approach?
>
> I've been running Tor clients and servers under VMWare Server for a
> while now. I do my secure browsing inside a dedicated VM, and my
> firewall is set up to block all outgoing traffic from the VM. The VM
> connects directly to my Tor server (on another VM, though that's not as
> important) which itself connects to the outside world. It's not quite
> ideal because in theory that VM could snoop around my LAN and report on
> stuff, but I could disable that with some more work (putting that VM in
> a dead-end virtual network so it can't talk to anything except a Tor
> server), I'm just lazy and don't think that's really likely to be an
> issue.
>
> VMWare Player ought to be possible to set up so that it runs behind a
> DHCP server on whatever is running VMWare. VMWare Server definitely is.
>
> -Ben
>


Ben, you got the right idea.  I use JanusVM with Ubuntu and Backtrack.

In the first version of JanusVM, we only had the bridged network interface.
With the latest release, we have two network interfaces (bridged and
NAT'd).  We changed it for security purposes.

I changed my Ubuntu network connection in VMWare Server from BRIDGED to NAT.
Now with JanusVM and Ubuntu (or Backtrack), I'm using VMWare's NAT'd virtual
NIC to connect from Ubuntu to JanusVM.  In Ubuntu, I just filter out all
network traffic that not going to or from my NAT'd interface netmask.  So if
my LAN is on 192.168.1.X and my NAT'd interface is on 192.168.242.X, then I
just filter out everything that is not from 192.168.242.X.  This keeps me
safe from the following types of attacks, which I haven't talked about or
released until now.  I AM NOT CALLING THIS AN EXPLOIT, it is just a very
simple query (nslookup) that can be used as an attack.

Roger Dingledine wrote:
>James Muir, HD Moore, others: can you give some thought to what attacks
>and vulnerabilities remain even in this model? I guess we can still
>overflow the browser and start looking around for private data on the
>computer, like an Outlook address book. What other issues remain? And
>does this approach introduce any new issues?

Here's your answer Roger:

*** DISCLAIMER ***
The following is just a very, very simple yet effective means to acquire
your REAL EXTERNAL IP address from WITHIN your internal LAN.  This does not
work on every router/DNS server out there, but it works on the two
ActionTec's and one D-Link retail routers I tested.

DEMO URL:   http://janusvm.peertech.org/Flash/internal-dns-leak.html

(yes, I know I just revealed my IP address to the everyone reading this, but
honestly I don't care because [1] I'm making a point and [2] it has already
been rolled to a new IP by the time you read this.)

We (coderman and I) have addressed and solved the issues of side-channel
attacks to reveal your true IP to a server on the Internet.  Now we started
thinking about things that can reveal our true IP INSIDE our LAN.  (HINT:
UPNP would be another place to poke around at to get a real external IP, for
all you Java fans.)  When using VMWare's NAT'd interfaces in the setup I
just described above, you effectively stop this type of attack from working.

ENJOY!!!

~Kyle
;-)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.torproject.org/pipermail/tor-talk/attachments/20070409/f2e2ee66/attachment.htm>


More information about the tor-talk mailing list