VPN Service Providers With Port Forwarding Affected By IP Leak

Posted by: Benjamin Vitáris

December 4, 2015

Perfect Privacy has discovered and posted about a potential attack vector on VPN service providers’ network that could be exploited by hackers or law enforcement agencies. “Port Fail”, if used by an attacker could result in the unmasking of the VPN user’s real IP address. The vulnerability point affects VPN service providers that offer the forwarding option and have no protection for this kind of specific attacks.

This IP leak is affecting all VPN users, however, the victim does not have to necessarily use port forwarding, only the attacker has to set it up.

According to the blog post, they have tested this vulnerability with nine different VPN providers, however, only 4 of them had the required protection for the attack. The other five has been notified by Perfect Privacy so they can fix the issue ASAP before someone is abusing it. They also state that other VPN service providers could be also vulnerable since they could not test all services.

Perfect Privacy made a list of the requirements and the specific IP leak. It goes by this quoting from their blog:

“The attacker needs to meet the following requirements:

–   Has an active account at the same VPN provider as the victim

–   Knows victim’s VPN exit IP address (can be obtained by various means, e.g. IRC or torrent client or by making the victim visit a website under the attacker’s control)

–   The attacker sets up port forwarding. It makes no difference whether the victim has port forwarding activated or not.”

“The IP leak can then be triggered as follows:

1. Victim is connected to VPN server 1.2.3.4
2. Victim’s routing table will look something like this:

0.0.0.0/0 -> 10.0.0.1 (internal vpn gateway ip)

1.2.3.4/32 -> 192.168.0.1 (old default gateway)

3. Attacker connects to same server 1.2.3.4 (knows victim’s exit through IRC or other means)
4. Attacker activates Port Forwarding on server 1.2.3.4, example port 12345
5. Attacker gets the victim to visit 1.2.3.4:12345 (for example via embedding <img src=”http://1.2.3.4:12345/x.jpg”> on a website)
6. This connection will reveal the victim’s real IP to the attacker because of the “1.2.3.4/32 -> 192.168.0.1” vpn route.”

The crucial problem is that a VPN user connecting to his own Virtual Private Network server will use his default route with his real IP address since this is a requirement for the VPN connection in order to work. If another user (the attacker) has port forwarding activated for his account on the same server he can find out the real IP addresses of all the users on the same VPN server by tricking each user into visiting a link that redirects the traffic to a port under the attacker’s control.

Since the nature of this attack all VPN protocols (IPSec, OpenVPN, PPTP, etc.) and all operating systems are affected.

Perfect Privacy also made this statement that could help VPN service providers:

”Affected VPN providers should implement one of the following:

• Have multiple IP addresses, allow incoming connections to ip1, exit connections through ip2-ipx, have portforwardings on ip2-ipx
• On Client connect set server side firewall rule to block access from Client real ip to portforwardings that are not his own.”

According to Perfect Privacy, all of their users are protected from such attacks.

Updated: 2015-12-04